From 5690096e79cb65c0a049735a515cc19fde492e1b Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 14 Aug 2019 13:41:47 +0200
Subject: [PATCH] COOP and COEP tests

See the added html/cross-origin-opener-policy/README.md for details. See #18354 for remaining work.
---
 html/cross-origin-embedder-policy/README.md   |   1 +
 .../blob.https.html                           |  44 ++++
 .../blob.https.html.headers                   |   1 +
 .../data.https.html                           |  20 ++
 .../data.https.html.headers                   |   1 +
 .../non-initial-about-blank.https.html        |  21 ++
 ...non-initial-about-blank.https.html.headers |   1 +
 .../none.https.html                           |  79 +++++++
 .../none.https.html.headers                   |   1 +
 .../require-corp.https.html                   | 138 +++++++++++
 .../require-corp.https.html.headers           |   1 +
 .../resources/blob-url-factory.html           |  17 ++
 .../resources/blob-url-factory.html.headers   |   2 +
 .../resources/navigate-none.sub.html}         |   0
 .../resources/navigate-require-corp.sub.html} |   0
 .../navigate-require-corp.sub.html.headers    |   1 +
 .../resources/nothing-cross-origin-corp.txt   |   1 +
 .../nothing-cross-origin-corp.txt.headers     |   1 +
 .../resources/nothing-same-origin-corp.txt    |   1 +
 .../nothing-same-origin-corp.txt.headers      |   1 +
 .../resources/script-factory.js               |  23 ++
 .../sandbox.https.html                        |  40 ++++
 .../sandbox.https.html.headers                |   1 +
 .../srcdoc.https.html                         |  21 ++
 .../srcdoc.https.html.headers                 |   1 +
 html/cross-origin-opener-policy/README.md     |  11 +
 .../coep-navigate-popup.https.html            |  62 +++++
 .../coep-navigate-popup.https.html.headers    |   2 +
 .../coep-redirect.https.html                  |  67 ++++++
 .../coep-redirect.https.html.headers          |   2 +
 .../coep.https.html                           |  43 ++++
 .../coep.https.html.headers                   |   2 +
 .../coop-navigated-popup.https.html           |  29 +++
 .../coop-navigated-popup.https.html.headers}  |   0
 .../coop-sandbox.https.html                   |  22 ++
 .../coop-sandbox.https.html.headers}          |   0
 html/cross-origin-opener-policy/no-https.html |  18 ++
 .../no-https.html.headers                     |   1 +
 .../popup-none.https.html}                    |   5 +-
 ...-origin-non-initial-about-blank.https.html |  15 ++
 ...non-initial-about-blank.https.html.headers |   1 +
 ...e-origin-unsafe-allow-outgoing.https.html} |   3 +-
 ...n-unsafe-allow-outgoing.https.html.headers |   1 +
 .../popup-same-origin.https.html}             |   3 +-
 .../popup-same-origin.https.html.headers      |   1 +
 ...ame-site-unsafe-allow-outgoing.https.html} |   3 +-
 ...-unsafe-allow-outgoing.https.html.headers} |   0
 .../popup-same-site.https.html}               |   3 +-
 .../popup-same-site.https.html.headers}       |   0
 .../resources/common.js                       |  36 +++
 .../resources/coop-coep.py                    |  35 +++
 .../resources/postback.html                   |  10 +
 .../resources/postback.html.headers           |   1 +
 html/cross-origin-opener/common.sub.js        |  28 ---
 .../resources/coop_window.py                  |  10 -
 .../resources/postback.sub.html               |  13 --
 .../resources/window.sub.html                 |  18 --
 .../resources/window.sub.html.headers         |   1 -
 html/cross-origin/anonymous.tentative.html    | 219 ------------------
 .../anonymous.tentative.html.headers          |   1 -
 html/cross-origin/null.tentative.html         | 103 --------
 html/cross-origin/null.tentative.html.headers |   1 -
 .../navigate_anonymous.sub.html.headers       |   1 -
 .../navigate_usecredentials.sub.html          |  18 --
 .../navigate_usecredentials.sub.html.headers  |   1 -
 html/cross-origin/resources/nothing.txt       |   1 -
 .../resources/nothing.txt.headers             |   1 -
 .../resources/popup_and_close.sub.html        |  18 --
 .../popup_and_close.sub.html.headers          |   1 -
 .../usecredentials.tentative.html             |  54 -----
 .../usecredentials.tentative.html.headers     |   1 -
 lint.whitelist                                |   2 +
 72 files changed, 785 insertions(+), 501 deletions(-)
 create mode 100644 html/cross-origin-embedder-policy/README.md
 create mode 100644 html/cross-origin-embedder-policy/blob.https.html
 create mode 100644 html/cross-origin-embedder-policy/blob.https.html.headers
 create mode 100644 html/cross-origin-embedder-policy/data.https.html
 create mode 100644 html/cross-origin-embedder-policy/data.https.html.headers
 create mode 100644 html/cross-origin-embedder-policy/non-initial-about-blank.https.html
 create mode 100644 html/cross-origin-embedder-policy/non-initial-about-blank.https.html.headers
 create mode 100644 html/cross-origin-embedder-policy/none.https.html
 create mode 100644 html/cross-origin-embedder-policy/none.https.html.headers
 create mode 100644 html/cross-origin-embedder-policy/require-corp.https.html
 create mode 100644 html/cross-origin-embedder-policy/require-corp.https.html.headers
 create mode 100644 html/cross-origin-embedder-policy/resources/blob-url-factory.html
 create mode 100644 html/cross-origin-embedder-policy/resources/blob-url-factory.html.headers
 rename html/{cross-origin/resources/navigate_null.sub.html => cross-origin-embedder-policy/resources/navigate-none.sub.html} (100%)
 rename html/{cross-origin/resources/navigate_anonymous.sub.html => cross-origin-embedder-policy/resources/navigate-require-corp.sub.html} (100%)
 create mode 100644 html/cross-origin-embedder-policy/resources/navigate-require-corp.sub.html.headers
 create mode 100644 html/cross-origin-embedder-policy/resources/nothing-cross-origin-corp.txt
 create mode 100644 html/cross-origin-embedder-policy/resources/nothing-cross-origin-corp.txt.headers
 create mode 100644 html/cross-origin-embedder-policy/resources/nothing-same-origin-corp.txt
 create mode 100644 html/cross-origin-embedder-policy/resources/nothing-same-origin-corp.txt.headers
 create mode 100644 html/cross-origin-embedder-policy/resources/script-factory.js
 create mode 100644 html/cross-origin-embedder-policy/sandbox.https.html
 create mode 100644 html/cross-origin-embedder-policy/sandbox.https.html.headers
 create mode 100644 html/cross-origin-embedder-policy/srcdoc.https.html
 create mode 100644 html/cross-origin-embedder-policy/srcdoc.https.html.headers
 create mode 100644 html/cross-origin-opener-policy/README.md
 create mode 100644 html/cross-origin-opener-policy/coep-navigate-popup.https.html
 create mode 100644 html/cross-origin-opener-policy/coep-navigate-popup.https.html.headers
 create mode 100644 html/cross-origin-opener-policy/coep-redirect.https.html
 create mode 100644 html/cross-origin-opener-policy/coep-redirect.https.html.headers
 create mode 100644 html/cross-origin-opener-policy/coep.https.html
 create mode 100644 html/cross-origin-opener-policy/coep.https.html.headers
 create mode 100644 html/cross-origin-opener-policy/coop-navigated-popup.https.html
 rename html/{cross-origin-opener/new_window_same_origin_unsafe_allow_outgoing.tentative.html.headers => cross-origin-opener-policy/coop-navigated-popup.https.html.headers} (100%)
 create mode 100644 html/cross-origin-opener-policy/coop-sandbox.https.html
 rename html/{cross-origin-opener/new_window_same_origin.tentative.html.headers => cross-origin-opener-policy/coop-sandbox.https.html.headers} (100%)
 create mode 100644 html/cross-origin-opener-policy/no-https.html
 create mode 100644 html/cross-origin-opener-policy/no-https.html.headers
 rename html/{cross-origin-opener/new_window_null.tentative.html => cross-origin-opener-policy/popup-none.https.html} (93%)
 create mode 100644 html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html
 create mode 100644 html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html.headers
 rename html/{cross-origin-opener/new_window_same_origin_unsafe_allow_outgoing.tentative.html => cross-origin-opener-policy/popup-same-origin-unsafe-allow-outgoing.https.html} (96%)
 create mode 100644 html/cross-origin-opener-policy/popup-same-origin-unsafe-allow-outgoing.https.html.headers
 rename html/{cross-origin-opener/new_window_same_origin.tentative.html => cross-origin-opener-policy/popup-same-origin.https.html} (96%)
 create mode 100644 html/cross-origin-opener-policy/popup-same-origin.https.html.headers
 rename html/{cross-origin-opener/new_window_same_site_unsafe_allow_outgoing.tentative.html => cross-origin-opener-policy/popup-same-site-unsafe-allow-outgoing.https.html} (96%)
 rename html/{cross-origin-opener/new_window_same_site_unsafe_allow_outgoing.tentative.html.headers => cross-origin-opener-policy/popup-same-site-unsafe-allow-outgoing.https.html.headers} (100%)
 rename html/{cross-origin-opener/new_window_same_site.tentative.html => cross-origin-opener-policy/popup-same-site.https.html} (96%)
 rename html/{cross-origin-opener/new_window_same_site.tentative.html.headers => cross-origin-opener-policy/popup-same-site.https.html.headers} (100%)
 create mode 100644 html/cross-origin-opener-policy/resources/common.js
 create mode 100644 html/cross-origin-opener-policy/resources/coop-coep.py
 create mode 100644 html/cross-origin-opener-policy/resources/postback.html
 create mode 100644 html/cross-origin-opener-policy/resources/postback.html.headers
 delete mode 100644 html/cross-origin-opener/common.sub.js
 delete mode 100644 html/cross-origin-opener/resources/coop_window.py
 delete mode 100644 html/cross-origin-opener/resources/postback.sub.html
 delete mode 100644 html/cross-origin-opener/resources/window.sub.html
 delete mode 100644 html/cross-origin-opener/resources/window.sub.html.headers
 delete mode 100644 html/cross-origin/anonymous.tentative.html
 delete mode 100644 html/cross-origin/anonymous.tentative.html.headers
 delete mode 100644 html/cross-origin/null.tentative.html
 delete mode 100644 html/cross-origin/null.tentative.html.headers
 delete mode 100644 html/cross-origin/resources/navigate_anonymous.sub.html.headers
 delete mode 100644 html/cross-origin/resources/navigate_usecredentials.sub.html
 delete mode 100644 html/cross-origin/resources/navigate_usecredentials.sub.html.headers
 delete mode 100644 html/cross-origin/resources/nothing.txt
 delete mode 100644 html/cross-origin/resources/nothing.txt.headers
 delete mode 100644 html/cross-origin/resources/popup_and_close.sub.html
 delete mode 100644 html/cross-origin/resources/popup_and_close.sub.html.headers
 delete mode 100644 html/cross-origin/usecredentials.tentative.html
 delete mode 100644 html/cross-origin/usecredentials.tentative.html.headers

diff --git a/html/cross-origin-embedder-policy/README.md b/html/cross-origin-embedder-policy/README.md
new file mode 100644
index 00000000000000..16179eb0133a9e
--- /dev/null
+++ b/html/cross-origin-embedder-policy/README.md
@@ -0,0 +1 @@
+See `../cross-origin-opener-policy/README.md`.
diff --git a/html/cross-origin-embedder-policy/blob.https.html b/html/cross-origin-embedder-policy/blob.https.html
new file mode 100644
index 00000000000000..aa4cf969d9e0fe
--- /dev/null
+++ b/html/cross-origin-embedder-policy/blob.https.html
@@ -0,0 +1,44 @@
+<!doctype html>
+<meta charset=utf-8>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<div id=log></div>
+<script>
+const origins = get_host_info();
+[
+  {
+    "origin": origins.HTTPS_ORIGIN,
+    "crossOrigin": origins.HTTPS_REMOTE_ORIGIN
+  },
+  {
+    "origin": origins.HTTPS_REMOTE_ORIGIN,
+    "crossOrigin": origins.HTTPS_NOTSAMESITE_ORIGIN
+  },
+  {
+    "origin": origins.HTTPS_NOTSAMESITE_ORIGIN,
+    "crossOrigin": origins.HTTPS_ORIGIN
+  }
+].forEach(({ origin, crossOrigin }) => {
+  ["subframe", "navigate"].forEach(variant => {
+    async_test(t => {
+      const id = token();
+      const frame = document.createElement("iframe");
+      t.add_cleanup(() => { frame.remove(); });
+      const path = new URL("resources/blob-url-factory.html", window.location).pathname;
+      frame.src = `${origin}${path}?id=${id}&variant=${variant}&crossOrigin=${crossOrigin}`;
+      window.addEventListener("message", t.step_func(({ data }) => {
+        if (data.id !== id) {
+          return;
+        }
+        assert_equals(data.origin, origin);
+        assert_true(data.sameOriginNoCORPSuccess, "Same-origin without CORP did not succeed");
+        assert_true(data.crossOriginNoCORPFailure, "Cross-origin without CORP did not fail");
+        t.done();
+      }));
+      document.body.append(frame);
+    }, `Cross-Origin-Embedder-Policy and blob: URL from ${origin} in subframe via ${variant}`);
+  });
+});
+</script>
diff --git a/html/cross-origin-embedder-policy/blob.https.html.headers b/html/cross-origin-embedder-policy/blob.https.html.headers
new file mode 100644
index 00000000000000..6604450991a122
--- /dev/null
+++ b/html/cross-origin-embedder-policy/blob.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/html/cross-origin-embedder-policy/data.https.html b/html/cross-origin-embedder-policy/data.https.html
new file mode 100644
index 00000000000000..c34f1336c8bd22
--- /dev/null
+++ b/html/cross-origin-embedder-policy/data.https.html
@@ -0,0 +1,20 @@
+<!doctype html>
+<meta charset=utf-8>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="resources/script-factory.js"></script>
+<div id=log></div>
+<script>
+async_test(t => {
+  window.addEventListener("message", t.step_func_done(({ data }) => {
+    assert_equals(data.id, "");
+    assert_equals(data.origin, "null");
+    assert_false(data.sameOriginNoCORPSuccess); // This is effectively a no-op for this test
+    assert_true(data.crossOriginNoCORPFailure, "Cross-origin without CORP did not fail");
+  }));
+  const frame = document.createElement("iframe");
+  t.add_cleanup(() => frame.remove());
+  frame.src = `data:text/html,${createScript("null", window.origin)}`;
+  document.body.append(frame);
+}, "Cross-Origin-Embedder-Policy and data: URLs");
+</script>
diff --git a/html/cross-origin-embedder-policy/data.https.html.headers b/html/cross-origin-embedder-policy/data.https.html.headers
new file mode 100644
index 00000000000000..6604450991a122
--- /dev/null
+++ b/html/cross-origin-embedder-policy/data.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/html/cross-origin-embedder-policy/non-initial-about-blank.https.html b/html/cross-origin-embedder-policy/non-initial-about-blank.https.html
new file mode 100644
index 00000000000000..7fed1fe58194a2
--- /dev/null
+++ b/html/cross-origin-embedder-policy/non-initial-about-blank.https.html
@@ -0,0 +1,21 @@
+<!doctype html>
+<meta charset=utf-8>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id=log></div>
+<script>
+async_test(t => {
+  const frame = document.createElement("iframe");
+  t.add_cleanup(() => frame.remove());
+  let i = 0;
+  frame.onload = t.step_func(() => {
+    i++;
+    assert_equals(frame.contentDocument.URL, "about:blank");
+    frame.src = "about:blank";
+    if (i == 2) {
+      t.done();
+    }
+  });
+  document.body.append(frame);
+}, "Cross-Origin-Embedder-Policy and about:blank");
+</script>
diff --git a/html/cross-origin-embedder-policy/non-initial-about-blank.https.html.headers b/html/cross-origin-embedder-policy/non-initial-about-blank.https.html.headers
new file mode 100644
index 00000000000000..6604450991a122
--- /dev/null
+++ b/html/cross-origin-embedder-policy/non-initial-about-blank.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/html/cross-origin-embedder-policy/none.https.html b/html/cross-origin-embedder-policy/none.https.html
new file mode 100644
index 00000000000000..b1bb6fefc6cfa4
--- /dev/null
+++ b/html/cross-origin-embedder-policy/none.https.html
@@ -0,0 +1,79 @@
+<!doctype html>
+<meta name="timeout" content="long">
+<title>Cross-Origin-Embedder-Policy header and nested navigable resource without such header</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/common/utils.js></script> <!-- Use token() to allow running tests in parallel -->
+<div id=log></div>
+<script>
+async_test(t => {
+  const frame = document.createElement("iframe");
+  t.add_cleanup(() => frame.remove());
+  frame.onload = t.step_func_done(() => {
+    assert_not_equals(frame.contentDocument, null);
+  });
+  frame.src = "/common/blank.html";
+  document.body.append(frame);
+  assert_equals(frame.contentDocument.body.localName, "body");
+}, `"none" top-level: navigating a frame to "none" should succeed`);
+
+async_test(t => {
+  const frame = document.createElement("iframe");
+  t.add_cleanup(() => frame.remove());
+  const blank = "/common/blank.html";
+  let firstNavOk = false;
+  frame.onload = t.step_func(() => {
+    if (!firstNavOk) {
+      assert_not_equals(frame.contentDocument, null);
+      firstNavOk = true;
+    } else {
+      assert_not_equals(frame.contentDocument, null);
+      assert_equals(frame.contentWindow.location.pathname, blank);
+      t.done();
+    }
+  });
+  frame.src = `resources/navigate-require-corp.sub.html?to=${blank}`;
+  document.body.append(frame);
+  assert_equals(frame.contentDocument.body.localName, "body");
+}, `"none" top-level: navigating a frame from "require-corp" to "none" should succeed`);
+
+async_test(t => {
+  const w = window.open(`resources/navigate-none.sub.html?to=navigate-require-corp.sub.html`, "window_name");
+  t.add_cleanup(() => w.close());
+
+  t.step_timeout(() => {
+    w.history.back();
+    t.step_timeout(() => {
+      assert_not_equals(w.document, null);
+      t.done();
+    }, 500);
+  }, 500);
+}, `"none" top-level: navigating a frame back from "require-corp" should succeed`);
+
+async_test(t => {
+  let pageLoaded = false;
+  const bc = new BroadcastChannel(token());
+  let finished = false;
+  bc.onmessage = t.step_func((event) => {
+    pageLoaded = true;
+    let payload = event.data;
+    assert_equals(payload, "loaded");
+  });
+
+  const bc2 = new BroadcastChannel(token());
+  bc2.onmessage = t.step_func((event) => {
+    finished = true;
+    let payload = event.data;
+    assert_equals(payload, "loaded");
+  });
+
+  const win = window.open(`resources/navigate-require-corp.sub.html?channelName=${bc.name}&to=navigate-none.sub.html?channelName=${bc2.name}`, "_blank", "noopener");
+  assert_equals(win, null);
+
+  t.step_timeout(() => {
+    assert_true(pageLoaded);
+    assert_true(finished);
+    t.done();
+  }, 500);
+}, `"require-corp" top-level noopener popup: navigating to "none" should succeed`);
+</script>
diff --git a/html/cross-origin-embedder-policy/none.https.html.headers b/html/cross-origin-embedder-policy/none.https.html.headers
new file mode 100644
index 00000000000000..43c44cffd64e01
--- /dev/null
+++ b/html/cross-origin-embedder-policy/none.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Embedder-Policy: unknown-should-be-parsed-as-null
diff --git a/html/cross-origin-embedder-policy/require-corp.https.html b/html/cross-origin-embedder-policy/require-corp.https.html
new file mode 100644
index 00000000000000..0bd6aab729533b
--- /dev/null
+++ b/html/cross-origin-embedder-policy/require-corp.https.html
@@ -0,0 +1,138 @@
+<!doctype html>
+<meta name="timeout" content="long">
+<title>Cross-Origin-Embedder-Policy header and nested navigable resource without such header</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script> <!-- Use token() to allow running tests in parallel -->
+<div id=log></div>
+<script>
+async_test(t => {
+  const frame = document.createElement("iframe");
+  t.add_cleanup(() => frame.remove());
+  t.step_timeout(() => {
+    // Make sure the iframe didn't load. See https://github.com/whatwg/html/issues/125 for why a
+    // timeout is used here. Long term all network error handling should be similar and have a
+    // reliable event.
+    assert_equals(frame.contentDocument, null);
+    t.done();
+  }, 500);
+  frame.src = "/common/blank.html";
+  document.body.append(frame);
+  assert_equals(frame.contentDocument.body.localName, "body");
+}, `"require-corp" top-level: navigating a frame to "none" should fail`);
+
+async_test(t => {
+  const frame = document.createElement("iframe");
+  t.add_cleanup(() => frame.remove());
+  const bc = new BroadcastChannel(token());
+  bc.onmessage = t.step_func((event) => {
+    assert_not_equals(frame.contentDocument, null);
+    let payload = event.data;
+    assert_equals(payload, "loaded");
+    t.step_timeout(() => {
+      assert_equals(frame.contentDocument, null);
+      t.done();
+    }, 500);
+  });
+  frame.src = `resources/navigate-require-corp.sub.html?channelName=${bc.name}&to=/common/blank.html`;
+  document.body.append(frame);
+  assert_equals(frame.contentDocument.body.localName, "body");
+}, `"require-corp" top-level: navigating a frame from "require-corp" to "none" should fail`);
+
+async_test(t => {
+  let pageLoaded = false;
+  const bc = new BroadcastChannel(token());
+  let finished = false;
+  bc.onmessage = t.step_func((event) => {
+    let payload = event.data;
+    assert_equals(payload, "loaded");
+    pageLoaded = true;
+  });
+
+  const bc2 = new BroadcastChannel(token());
+  bc2.onmessage = t.step_func_done((event) => {
+    let payload = event.data;
+    assert_equals(payload, "loaded");
+    assert_equals(pageLoaded, true);
+  });
+
+  const win = window.open(`resources/navigate-none.sub.html?channelName=${bc.name}&to=navigate-none.sub.html?channelName=${bc2.name}`, "_blank", "noopener");
+  assert_equals(win, null);
+}, `"require-corp" top-level: creating a noopener "none" popup should succeed`);
+
+async_test(t => {
+  let pageLoaded = false;
+  const bc = new BroadcastChannel(token());
+  bc.onmessage = t.step_func_done((event) => {
+    pageLoaded = true;
+    let payload = event.data;
+    assert_equals(payload, "loaded");
+  });
+
+  const win = window.open(`resources/navigate-none.sub.html?channelName=${bc.name}&to=/common/blank.html`, "_blank");
+  t.add_cleanup(() => win.close());
+  t.step_timeout(() => {
+    assert_equals(pageLoaded, true);
+    t.done();
+  }, 500);
+}, `"require-corp" top-level: creating a "none" popup should succeed.`);
+
+[
+  {
+    "name": "",
+    "title": "as popup"
+  },
+  {
+    "name": "noopener",
+    "title": "as noopener popup"
+  },
+  {
+    "name": "clear opener",
+    "title": "as popup with opener set to null"
+  }
+].forEach(({name, title}) => {
+  async_test(t => {
+    let pageLoaded = false;
+    const bc = new BroadcastChannel(token());
+    bc.onmessage = t.step_func(event => {
+      pageLoaded = true;
+      const payload = event.data;
+      assert_equals(payload, "loaded");
+    });
+
+    const bc2 = new BroadcastChannel(token());
+    bc2.onmessage = t.step_func_done(event => {
+      const payload = event.data;
+      assert_equals(payload, "loaded");
+      assert_equals(pageLoaded, true);
+    });
+
+    let clearOpener = "";
+    if (name === "clear opener") {
+      clearOpener = "&clearOpener=true"
+    }
+
+    let noopener = undefined;
+    if (name === "noopener") {
+      noopener = "noopener"
+    }
+
+    const win = window.open(`resources/navigate-require-corp.sub.html?channelName=${bc.name}${clearOpener}&to=navigate-none.sub.html?channelName=${bc2.name}`, "_blank", noopener);
+    if (name === "noopener") {
+      assert_equals(win, null);
+    } else {
+      t.add_cleanup(() => win.close());
+    }
+  }, `"require-corp" top-level (${title}): navigating to "none" should succeed`);
+});
+
+promise_test(async t => {
+  const response = await fetch(get_host_info().HTTPS_REMOTE_ORIGIN+"/html/cross-origin-embedder-policy/resources/nothing-cross-origin-corp.txt", {mode: "no-cors"});
+  assert_equals(response.type, "opaque");
+}, `"require-corp" top-level: fetch() to CORP: cross-origin response should succeed`);
+
+promise_test(t => {
+  return promise_rejects(t, new TypeError(), fetch(get_host_info().HTTPS_REMOTE_ORIGIN+"/common/blank.html", {mode: "no-cors"}));
+}, `"require-corp" top-level: fetch() to response without CORP should fail`);
+</script>
diff --git a/html/cross-origin-embedder-policy/require-corp.https.html.headers b/html/cross-origin-embedder-policy/require-corp.https.html.headers
new file mode 100644
index 00000000000000..6604450991a122
--- /dev/null
+++ b/html/cross-origin-embedder-policy/require-corp.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/html/cross-origin-embedder-policy/resources/blob-url-factory.html b/html/cross-origin-embedder-policy/resources/blob-url-factory.html
new file mode 100644
index 00000000000000..7d90aacd8bbf20
--- /dev/null
+++ b/html/cross-origin-embedder-policy/resources/blob-url-factory.html
@@ -0,0 +1,17 @@
+<body>
+<script src="script-factory.js"></script>
+<script>
+const query = new URLSearchParams(window.location.search);
+const id = query.get("id");
+const variant = query.get("variant");
+const parent = (variant === "subframe") ? "parent.parent" : "parent";
+const blob = new Blob([createScript(window.origin, query.get("crossOrigin"), parent, id)], { type: "text/html" });
+const blobURL = URL.createObjectURL(blob);
+if (variant === "subframe") {
+  const frame = document.createElement("iframe");
+  frame.src = blobURL;
+  document.body.append(frame);
+} else {
+  window.location = blobURL;
+}
+</script>
diff --git a/html/cross-origin-embedder-policy/resources/blob-url-factory.html.headers b/html/cross-origin-embedder-policy/resources/blob-url-factory.html.headers
new file mode 100644
index 00000000000000..4e798cd9f5d3f7
--- /dev/null
+++ b/html/cross-origin-embedder-policy/resources/blob-url-factory.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Embedder-Policy: require-corp
+Cross-Origin-Resource-Policy: cross-origin
diff --git a/html/cross-origin/resources/navigate_null.sub.html b/html/cross-origin-embedder-policy/resources/navigate-none.sub.html
similarity index 100%
rename from html/cross-origin/resources/navigate_null.sub.html
rename to html/cross-origin-embedder-policy/resources/navigate-none.sub.html
diff --git a/html/cross-origin/resources/navigate_anonymous.sub.html b/html/cross-origin-embedder-policy/resources/navigate-require-corp.sub.html
similarity index 100%
rename from html/cross-origin/resources/navigate_anonymous.sub.html
rename to html/cross-origin-embedder-policy/resources/navigate-require-corp.sub.html
diff --git a/html/cross-origin-embedder-policy/resources/navigate-require-corp.sub.html.headers b/html/cross-origin-embedder-policy/resources/navigate-require-corp.sub.html.headers
new file mode 100644
index 00000000000000..6604450991a122
--- /dev/null
+++ b/html/cross-origin-embedder-policy/resources/navigate-require-corp.sub.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/html/cross-origin-embedder-policy/resources/nothing-cross-origin-corp.txt b/html/cross-origin-embedder-policy/resources/nothing-cross-origin-corp.txt
new file mode 100644
index 00000000000000..e61d8ee36c9af6
--- /dev/null
+++ b/html/cross-origin-embedder-policy/resources/nothing-cross-origin-corp.txt
@@ -0,0 +1 @@
+nothing with cross-origin CORP
diff --git a/html/cross-origin-embedder-policy/resources/nothing-cross-origin-corp.txt.headers b/html/cross-origin-embedder-policy/resources/nothing-cross-origin-corp.txt.headers
new file mode 100644
index 00000000000000..1b88136c01cbca
--- /dev/null
+++ b/html/cross-origin-embedder-policy/resources/nothing-cross-origin-corp.txt.headers
@@ -0,0 +1 @@
+Cross-Origin-Resource-Policy: cross-origin
diff --git a/html/cross-origin-embedder-policy/resources/nothing-same-origin-corp.txt b/html/cross-origin-embedder-policy/resources/nothing-same-origin-corp.txt
new file mode 100644
index 00000000000000..b9ba801f78e5f3
--- /dev/null
+++ b/html/cross-origin-embedder-policy/resources/nothing-same-origin-corp.txt
@@ -0,0 +1 @@
+nothing with same-origin CORP
diff --git a/html/cross-origin-embedder-policy/resources/nothing-same-origin-corp.txt.headers b/html/cross-origin-embedder-policy/resources/nothing-same-origin-corp.txt.headers
new file mode 100644
index 00000000000000..30ddeac2e7a359
--- /dev/null
+++ b/html/cross-origin-embedder-policy/resources/nothing-same-origin-corp.txt.headers
@@ -0,0 +1 @@
+Cross-Origin-Resource-Policy: same-origin
diff --git a/html/cross-origin-embedder-policy/resources/script-factory.js b/html/cross-origin-embedder-policy/resources/script-factory.js
new file mode 100644
index 00000000000000..9db75522602047
--- /dev/null
+++ b/html/cross-origin-embedder-policy/resources/script-factory.js
@@ -0,0 +1,23 @@
+// This creates a serialized <script> element that is useful for blob/data/srcdoc-style tests.
+
+function createScript(sameOrigin, crossOrigin, parent="parent", id="") {
+  return `<script>
+const data = { id: "${id}",
+               origin: window.origin,
+               sameOriginNoCORPSuccess: false,
+               crossOriginNoCORPFailure: false };
+function record(promise, token, expectation) {
+  return promise.then(() => data[token] = expectation, () => data[token] = !expectation);
+}
+
+const records = [
+  record(fetch("${crossOrigin}/common/blank.html", { mode: "no-cors" }), "crossOriginNoCORPFailure", false)
+];
+
+if ("${sameOrigin}" !== "null") {
+  records.push(record(fetch("${sameOrigin}/common/blank.html", { mode: "no-cors" }), "sameOriginNoCORPSuccess", true));
+}
+
+Promise.all(records).then(() => window.${parent}.postMessage(data, "*"));
+<\/script>`;
+}
diff --git a/html/cross-origin-embedder-policy/sandbox.https.html b/html/cross-origin-embedder-policy/sandbox.https.html
new file mode 100644
index 00000000000000..1e3f80a9186107
--- /dev/null
+++ b/html/cross-origin-embedder-policy/sandbox.https.html
@@ -0,0 +1,40 @@
+<!doctype html>
+<meta charset=utf-8>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<div id=log></div>
+<script>
+async_test(t => {
+  window.addEventListener("message", t.step_func_done(({ data }) => {
+    assert_equals(data.origin, "null");
+    assert_true(data.sameOriginWithoutCORP, "Request to same-origin resource without CORP did not fail");
+    assert_true(data.sameOriginWithSameOriginCORP, "Request to same-origin resource with same-origin CORP did not fail");
+    assert_true(data.sameOriginWithCrossOriginCORP, "Request to same-origin resource with cross-origin CORP did not succeed");
+    assert_true(data.crossOriginWithCrossOriginCORP, "Request to cross-origin resource with cross-origin CORP did not succeed");
+  }));
+
+  const origins = get_host_info();
+  const frame = document.createElement("iframe");
+  const nothingCrossOriginCORP = new URL("resources/nothing-cross-origin-corp.txt", window.location).pathname;
+  const nothingSameOriginCORP = new URL("resources/nothing-same-origin-corp.txt", window.location).pathname;
+  frame.sandbox = "allow-scripts";
+  frame.srcdoc = `<script>
+const data = { sameOriginWithoutCORP: false,
+               sameOriginWithSameOriginCORP: false,
+               sameOriginWithCrossOriginCORP: false,
+               crossOriginWithCrossOriginCORP: false,
+               origin: self.origin };
+function record(promise, token, expectation) {
+  return promise.then(() => data[token] = expectation, () => data[token] = !expectation);
+}
+Promise.all([
+  record(fetch("/common/blank.html", { mode: "no-cors" }), "sameOriginWithoutCORP", false),
+  record(fetch("${nothingSameOriginCORP}", { mode: "no-cors" }), "sameOriginWithSameOriginCORP", false),
+  record(fetch("${nothingCrossOriginCORP}", { mode: "no-cors" }), "sameOriginWithCrossOriginCORP", true),
+  record(fetch("${origins.HTTPS_NOTSAMESITE_ORIGIN}${nothingCrossOriginCORP}", { mode: "no-cors" }), "crossOriginWithCrossOriginCORP", true)
+]).then(() => parent.postMessage(data, "*"));
+<\/script>`;
+  document.body.append(frame);
+}, "Cross-Origin-Embedder-Policy and sandbox");
+</script>
diff --git a/html/cross-origin-embedder-policy/sandbox.https.html.headers b/html/cross-origin-embedder-policy/sandbox.https.html.headers
new file mode 100644
index 00000000000000..6604450991a122
--- /dev/null
+++ b/html/cross-origin-embedder-policy/sandbox.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/html/cross-origin-embedder-policy/srcdoc.https.html b/html/cross-origin-embedder-policy/srcdoc.https.html
new file mode 100644
index 00000000000000..3fbba961b2736e
--- /dev/null
+++ b/html/cross-origin-embedder-policy/srcdoc.https.html
@@ -0,0 +1,21 @@
+<!doctype html>
+<meta charset=utf-8>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="resources/script-factory.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<div id=log></div>
+<script>
+async_test(t => {
+  window.addEventListener("message", t.step_func_done(({ data }) => {
+    assert_equals(data.id, "");
+    assert_equals(data.origin, window.origin);
+    assert_true(data.sameOriginNoCORPSuccess, "Same-origin without CORP did not succeed");
+    assert_true(data.crossOriginNoCORPFailure, "Cross-origin without CORP did not fail");
+  }));
+  const frame = document.createElement("iframe");
+  t.add_cleanup(() => frame.remove());
+  frame.srcdoc = createScript(window.origin, get_host_info().HTTPS_NOTSAMESITE_ORIGIN);
+  document.body.append(frame);
+}, "Cross-Origin-Embedder-Policy and srcdoc");
+</script>
diff --git a/html/cross-origin-embedder-policy/srcdoc.https.html.headers b/html/cross-origin-embedder-policy/srcdoc.https.html.headers
new file mode 100644
index 00000000000000..6604450991a122
--- /dev/null
+++ b/html/cross-origin-embedder-policy/srcdoc.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/html/cross-origin-opener-policy/README.md b/html/cross-origin-opener-policy/README.md
new file mode 100644
index 00000000000000..3f080c82d25de7
--- /dev/null
+++ b/html/cross-origin-opener-policy/README.md
@@ -0,0 +1,11 @@
+This directory as well as `../cross-origin-embedder-policy/` contains tests for `Cross-Origin-Opener-Policy` and `Cross-Origin-Embedder-Policy`. Some light background reading:
+
+* [COOP and COEP explained](https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit)
+* [COOP processing model](https://gist.github.com/annevk/6f2dd8c79c77123f39797f6bdac43f3e) (also defines interaction with COEP)
+* [COEP processing model](https://mikewest.github.io/corpp/)
+* [Open COOP issues](https://github.com/whatwg/html/labels/topic%3A%20cross-origin-opener-policy)
+* [Open COEP issues](https://github.com/whatwg/html/labels/topic%3A%20cross-origin-embedder-policy)
+
+Notes:
+
+* Top-level navigation to a `data:` URL does not work in Chrome and Firefox and is therefore not tested. (This should probably be standardized.)
diff --git a/html/cross-origin-opener-policy/coep-navigate-popup.https.html b/html/cross-origin-opener-policy/coep-navigate-popup.https.html
new file mode 100644
index 00000000000000..717122b4b2f2e7
--- /dev/null
+++ b/html/cross-origin-opener-policy/coep-navigate-popup.https.html
@@ -0,0 +1,62 @@
+<!doctype html>
+<title>Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy: a navigating popup</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/common.js"></script>
+<script>
+[
+  {
+    "title": "coop/coep",
+    "coop": "same-origin",
+    "coep": "require-corp",
+    "opener": true
+  },
+  {
+    "title": "no coop/coep",
+    "coop": "",
+    "coep": "require-corp",
+    "opener": false
+  },
+  {
+    "title": "coop/no coep",
+    "coop": "same-origin",
+    "coep": "",
+    "opener": false
+  },
+  {
+    "title": "no coop/no coep",
+    "coop": "",
+    "coep": "",
+    "opener": false
+  },
+  {
+    "title": "coop unsafe-inherit/coep",
+    "coop": "unsafe-inherit",
+    "coep": "require-corp",
+    "opener": true
+  },
+  {
+    "title": "coop unsafe-inherit/no coep",
+    "coop": "unsafe-inherit",
+    "coep": "",
+    "opener": false
+  }
+].forEach(variant => {
+  ["same-origin", "same-site"].forEach(site => {
+    const title = `Popup navigating to ${site} with ${variant.title}`;
+    const channel = title.replace(/ /g,"-");
+    const navigateHost = site === "same-origin" ? SAME_ORIGIN : SAME_SITE;
+    const navigateURL = `${navigateHost.origin}/html/cross-origin-opener-policy/resources/coop-coep.py?coop=${variant.coop}&coep=${variant.coep}&channel=${channel}`;
+    const opener = site === "same-origin" ? variant.opener : false;
+
+    async_test(t => {
+      // For each test we open a COOP: same-origin/COEP: require-corp document in a popup and then
+      // navigate that to either a same-origin or same-site document whose COOP and COEP are set as
+      // per the top-most array. We then verify that this document has the correct opener for its
+      // specific setup.
+      url_test(t, `${SAME_ORIGIN.origin}/html/cross-origin-opener-policy/resources/coop-coep.py?coop=same-origin&coep=require-corp&navigate=${encodeURIComponent(navigateURL)}`, channel, opener);
+    }, title);
+  });
+});
+</script>
diff --git a/html/cross-origin-opener-policy/coep-navigate-popup.https.html.headers b/html/cross-origin-opener-policy/coep-navigate-popup.https.html.headers
new file mode 100644
index 00000000000000..63b60e490f47f4
--- /dev/null
+++ b/html/cross-origin-opener-policy/coep-navigate-popup.https.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: same-origin
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/html/cross-origin-opener-policy/coep-redirect.https.html b/html/cross-origin-opener-policy/coep-redirect.https.html
new file mode 100644
index 00000000000000..73f07ddef88877
--- /dev/null
+++ b/html/cross-origin-opener-policy/coep-redirect.https.html
@@ -0,0 +1,67 @@
+<!doctype html>
+<title>Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy: redirects</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/common.js"></script>
+<script>
+const coopCOEPPath = new URL("resources/coop-coep.py", window.location).pathname;
+
+[
+  {
+    "title": "coop/coep to coop/coep",
+    "redirectCOOP": "same-origin",
+    "redirectCOEP": "require-corp",
+    "coop": "same-origin",
+    "coep": "require-corp",
+    "opener": true
+  },
+  {
+    "title": "coop/coep to no coop/coep",
+    "redirectCOOP": "same-origin",
+    "redirectCOEP": "require-corp",
+    "coop": "",
+    "coep": "require-corp",
+    "opener": false
+  },
+  {
+    "title": "no coop/no coep to coop/coep",
+    "redirectCOOP": "",
+    "redirectCOEP": "",
+    "coop": "same-origin",
+    "coep": "require-corp",
+    "opener": false
+  },
+  {
+    "title": "coop/no coep to coop/coep",
+    "redirectCOOP": "same-origin",
+    "redirectCOEP": "",
+    "coop": "same-origin",
+    "coep": "require-corp",
+    "opener": false
+  },
+  {
+    "title": "coop unsafe-inherit/coep to coop/coep",
+    "redirectCOOP": "unsafe-inherit",
+    "redirectCOEP": "require-corp",
+    "coop": "same-origin",
+    "coep": "require-corp",
+    "opener": true
+  },
+  {
+    "title": "coop unsafe-inherit/coep to coop unsafe-inherit/coep",
+    "redirectCOOP": "unsafe-inherit",
+    "redirectCOEP": "require-corp",
+    "coop": "unsafe-inherit",
+    "coep": "require-corp",
+    "opener": true
+  }
+].forEach(variant => {
+  const title = `Redirect from ${variant.title}`;
+  async_test(t => {
+    const channel = title.replace(/ /g,"-");
+    const redirectLocation = `${SAME_ORIGIN.origin}${coopCOEPPath}?coop=${variant.coop}&coep=${variant.coep}&channel=${channel}`;
+    url_test(t, `${SAME_ORIGIN.origin}${coopCOEPPath}?coop=${variant.redirectCOOP}&coep=${variant.redirectCOEP}&redirect=${encodeURIComponent(redirectLocation)}`, channel, variant.opener);
+  }, title);
+});
+</script>
diff --git a/html/cross-origin-opener-policy/coep-redirect.https.html.headers b/html/cross-origin-opener-policy/coep-redirect.https.html.headers
new file mode 100644
index 00000000000000..63b60e490f47f4
--- /dev/null
+++ b/html/cross-origin-opener-policy/coep-redirect.https.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: same-origin
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/html/cross-origin-opener-policy/coep.https.html b/html/cross-origin-opener-policy/coep.https.html
new file mode 100644
index 00000000000000..1c04ed30dd7b3e
--- /dev/null
+++ b/html/cross-origin-opener-policy/coep.https.html
@@ -0,0 +1,43 @@
+<!doctype html>
+<title>Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/common.js"></script>
+<script>
+[
+  {
+    "title": "popup with coop/coep",
+    "coop": "same-origin",
+    "coep": "require-corp",
+    "opener": true
+  },
+  {
+    "title": "popup with coop unsafe-inherit/coep",
+    "coop": "unsafe-inherit",
+    "coep": "require-corp",
+    "opener": true
+  },
+  {
+    "title": "popup with coop unsafe-inherit without coep",
+    "coop": "unsafe-inherit",
+    "coep": "",
+    "opener": false
+  },
+  {
+    "title": "popup without coep",
+    "coop": "same-origin",
+    "coep": "",
+    "opener": false
+  }
+].forEach(variant => {
+  async_test(t => {
+    coop_coep_test(t, SAME_ORIGIN, variant.coop, variant.coep, variant.title.replace(/ /g,"-"), variant.opener);
+  }, `Same-origin ${variant.title}`);
+
+  // This seems useful to test, CROSS_SITE is probably too redundant though.
+  async_test(t => {
+    coop_coep_test(t, SAME_SITE, variant.coop, variant.coep, `same-site-${variant.title.replace(/ /g,"-")}`, false);
+  }, `Same-site ${variant.title}`);
+});
+</script>
diff --git a/html/cross-origin-opener-policy/coep.https.html.headers b/html/cross-origin-opener-policy/coep.https.html.headers
new file mode 100644
index 00000000000000..63b60e490f47f4
--- /dev/null
+++ b/html/cross-origin-opener-policy/coep.https.html.headers
@@ -0,0 +1,2 @@
+Cross-Origin-Opener-Policy: same-origin
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/html/cross-origin-opener-policy/coop-navigated-popup.https.html b/html/cross-origin-opener-policy/coop-navigated-popup.https.html
new file mode 100644
index 00000000000000..0b51512c221d90
--- /dev/null
+++ b/html/cross-origin-opener-policy/coop-navigated-popup.https.html
@@ -0,0 +1,29 @@
+<!doctype html>
+<title>Cross-Origin-Opener-Policy: a navigated popup</title>
+<!-- In particular this is different from coep-navigate-popup.https.html as this document initiates
+     the navigation (and uses unsafe-allow-outgoing and no COEP as without that it cannot be
+     observed). COOP should work identically, but implementations might have used the wrong
+     authority. -->
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/utils.js"></script> <!-- Use token() to allow running tests in parallel -->
+<script>
+async_test(t => {
+  const noCOOP = "/common/blank.html";
+  const popupName = token();
+  const popup = window.open(noCOOP, popupName);
+  t.add_cleanup(() => popup.close());
+  popup.onload = t.step_func(() => {
+    assert_equals(popup.name, popupName);
+    assert_equals(new URL(popup.document.URL).pathname, noCOOP);
+    const channel = new BroadcastChannel(token());
+    channel.onmessage = t.step_func_done(event => {
+      const payload = event.data;
+      assert_equals(payload.name, "");
+      assert_false(payload.opener);
+    });
+    const coop = `resources/coop-coep.py?coop=same-origin&coep=&channel=${channel.name}`;
+    popup.location = coop;
+  });
+}, "Open a popup to a document without COOP, then navigate it to a document with");
+</script>
diff --git a/html/cross-origin-opener/new_window_same_origin_unsafe_allow_outgoing.tentative.html.headers b/html/cross-origin-opener-policy/coop-navigated-popup.https.html.headers
similarity index 100%
rename from html/cross-origin-opener/new_window_same_origin_unsafe_allow_outgoing.tentative.html.headers
rename to html/cross-origin-opener-policy/coop-navigated-popup.https.html.headers
diff --git a/html/cross-origin-opener-policy/coop-sandbox.https.html b/html/cross-origin-opener-policy/coop-sandbox.https.html
new file mode 100644
index 00000000000000..e471b1eda2ef28
--- /dev/null
+++ b/html/cross-origin-opener-policy/coop-sandbox.https.html
@@ -0,0 +1,22 @@
+<!doctype html>
+<title>Sandboxed Cross-Origin-Opener-Policy popup should result in a network error</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/utils.js"></script> <!-- Use token() to allow running tests in parallel -->
+<div id=log>
+<script>
+async_test(t => {
+  const frame = document.createElement("iframe");
+  const channel = new BroadcastChannel(token());
+  channel.onmessage = t.unreached_func("A COOP popup was created from a sandboxed frame");
+  t.add_cleanup(() => frame.remove());
+  frame.sandbox = "allow-popups allow-scripts allow-same-origin";
+  frame.srcdoc = `<script>
+const popup = window.open("resources/coop-coep.py?coop=same-origin&coep=&channel=${channel.name}");
+<\/script>`;
+  document.body.append(frame);
+  t.step_timeout(() => {
+    t.done()
+  }, 500);
+});
+</script>
diff --git a/html/cross-origin-opener/new_window_same_origin.tentative.html.headers b/html/cross-origin-opener-policy/coop-sandbox.https.html.headers
similarity index 100%
rename from html/cross-origin-opener/new_window_same_origin.tentative.html.headers
rename to html/cross-origin-opener-policy/coop-sandbox.https.html.headers
diff --git a/html/cross-origin-opener-policy/no-https.html b/html/cross-origin-opener-policy/no-https.html
new file mode 100644
index 00000000000000..da9efdce777c43
--- /dev/null
+++ b/html/cross-origin-opener-policy/no-https.html
@@ -0,0 +1,18 @@
+<!doctype html>
+<meta name="timeout" content="long">
+<title>Cross-Origin-Opener-Policy requires secure contexts</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script>
+async_test(t => {
+  const popup = window.open("/common/blank.html");
+  assert_equals(window, popup.opener);
+
+  t.step_timeout(() => {
+    assert_false(popup.closed);
+    assert_equals(popup.location.pathname, "/common/blank.html");
+    popup.close();
+    t.done();
+  }, 500);
+}, "Cross-Origin-Opener-Policy only works over secure contexts");
+</script>
diff --git a/html/cross-origin-opener-policy/no-https.html.headers b/html/cross-origin-opener-policy/no-https.html.headers
new file mode 100644
index 00000000000000..46ad58d83bf6e9
--- /dev/null
+++ b/html/cross-origin-opener-policy/no-https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/html/cross-origin-opener/new_window_null.tentative.html b/html/cross-origin-opener-policy/popup-none.https.html
similarity index 93%
rename from html/cross-origin-opener/new_window_null.tentative.html
rename to html/cross-origin-opener-policy/popup-none.https.html
index 35a42fd2f0963f..62633457d3f571 100644
--- a/html/cross-origin-opener/new_window_null.tentative.html
+++ b/html/cross-origin-opener-policy/popup-none.https.html
@@ -3,8 +3,7 @@
 <script src=/resources/testharness.js></script>
 <script src=/resources/testharnessreport.js></script>
 <script src="/common/get-host-info.sub.js"></script>
-
-<script src="common.sub.js"></script>
+<script src="resources/common.js"></script>
 
 <div id=log></div>
 <script>
@@ -33,6 +32,6 @@
   [CROSS_ORIGIN, "same-origin unsafe-allow-outgoing", false],
 ];
 
-run_coop_tests("null", tests);
+run_coop_tests("none", tests);
 
 </script>
diff --git a/html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html b/html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html
new file mode 100644
index 00000000000000..65ec3b26aa0c6e
--- /dev/null
+++ b/html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html
@@ -0,0 +1,15 @@
+<!doctype html>
+<title>Cross-Origin-Opener-Policy: about:blank</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script>
+async_test(t => {
+  const popup = window.open("resources/coop-coep.py?coop=same-origin&coep=&navigate=about:blank");
+  assert_equals(window, popup.opener);
+  t.step_timeout(() => {
+    assert_equals(popup.location.href, "about:blank");
+    popup.close();
+    t.done();
+  }, 500);
+}, "Navigating a popup to about:blank");
+</script>
diff --git a/html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html.headers b/html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html.headers
new file mode 100644
index 00000000000000..46ad58d83bf6e9
--- /dev/null
+++ b/html/cross-origin-opener-policy/popup-same-origin-non-initial-about-blank.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/html/cross-origin-opener/new_window_same_origin_unsafe_allow_outgoing.tentative.html b/html/cross-origin-opener-policy/popup-same-origin-unsafe-allow-outgoing.https.html
similarity index 96%
rename from html/cross-origin-opener/new_window_same_origin_unsafe_allow_outgoing.tentative.html
rename to html/cross-origin-opener-policy/popup-same-origin-unsafe-allow-outgoing.https.html
index bbd55130d7a903..2f8ebc3be3fcc7 100644
--- a/html/cross-origin-opener/new_window_same_origin_unsafe_allow_outgoing.tentative.html
+++ b/html/cross-origin-opener-policy/popup-same-origin-unsafe-allow-outgoing.https.html
@@ -3,8 +3,7 @@
 <script src=/resources/testharness.js></script>
 <script src=/resources/testharnessreport.js></script>
 <script src="/common/get-host-info.sub.js"></script>
-
-<script src="common.sub.js"></script>
+<script src="resources/common.js"></script>
 
 <div id=log></div>
 <script>
diff --git a/html/cross-origin-opener-policy/popup-same-origin-unsafe-allow-outgoing.https.html.headers b/html/cross-origin-opener-policy/popup-same-origin-unsafe-allow-outgoing.https.html.headers
new file mode 100644
index 00000000000000..a19f4400cea33a
--- /dev/null
+++ b/html/cross-origin-opener-policy/popup-same-origin-unsafe-allow-outgoing.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin unsafe-allow-outgoing
diff --git a/html/cross-origin-opener/new_window_same_origin.tentative.html b/html/cross-origin-opener-policy/popup-same-origin.https.html
similarity index 96%
rename from html/cross-origin-opener/new_window_same_origin.tentative.html
rename to html/cross-origin-opener-policy/popup-same-origin.https.html
index 6bbb37cafca07c..964011ff762115 100644
--- a/html/cross-origin-opener/new_window_same_origin.tentative.html
+++ b/html/cross-origin-opener-policy/popup-same-origin.https.html
@@ -3,8 +3,7 @@
 <script src=/resources/testharness.js></script>
 <script src=/resources/testharnessreport.js></script>
 <script src="/common/get-host-info.sub.js"></script>
-
-<script src="common.sub.js"></script>
+<script src="resources/common.js"></script>
 
 <div id=log></div>
 <script>
diff --git a/html/cross-origin-opener-policy/popup-same-origin.https.html.headers b/html/cross-origin-opener-policy/popup-same-origin.https.html.headers
new file mode 100644
index 00000000000000..46ad58d83bf6e9
--- /dev/null
+++ b/html/cross-origin-opener-policy/popup-same-origin.https.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Opener-Policy: same-origin
diff --git a/html/cross-origin-opener/new_window_same_site_unsafe_allow_outgoing.tentative.html b/html/cross-origin-opener-policy/popup-same-site-unsafe-allow-outgoing.https.html
similarity index 96%
rename from html/cross-origin-opener/new_window_same_site_unsafe_allow_outgoing.tentative.html
rename to html/cross-origin-opener-policy/popup-same-site-unsafe-allow-outgoing.https.html
index d81506f434b70d..18ee909d186556 100644
--- a/html/cross-origin-opener/new_window_same_site_unsafe_allow_outgoing.tentative.html
+++ b/html/cross-origin-opener-policy/popup-same-site-unsafe-allow-outgoing.https.html
@@ -3,8 +3,7 @@
 <script src=/resources/testharness.js></script>
 <script src=/resources/testharnessreport.js></script>
 <script src="/common/get-host-info.sub.js"></script>
-
-<script src="common.sub.js"></script>
+<script src="resources/common.js"></script>
 
 <div id=log></div>
 <script>
diff --git a/html/cross-origin-opener/new_window_same_site_unsafe_allow_outgoing.tentative.html.headers b/html/cross-origin-opener-policy/popup-same-site-unsafe-allow-outgoing.https.html.headers
similarity index 100%
rename from html/cross-origin-opener/new_window_same_site_unsafe_allow_outgoing.tentative.html.headers
rename to html/cross-origin-opener-policy/popup-same-site-unsafe-allow-outgoing.https.html.headers
diff --git a/html/cross-origin-opener/new_window_same_site.tentative.html b/html/cross-origin-opener-policy/popup-same-site.https.html
similarity index 96%
rename from html/cross-origin-opener/new_window_same_site.tentative.html
rename to html/cross-origin-opener-policy/popup-same-site.https.html
index e1efac12d02e26..9a0db2765daeb4 100644
--- a/html/cross-origin-opener/new_window_same_site.tentative.html
+++ b/html/cross-origin-opener-policy/popup-same-site.https.html
@@ -3,8 +3,7 @@
 <script src=/resources/testharness.js></script>
 <script src=/resources/testharnessreport.js></script>
 <script src="/common/get-host-info.sub.js"></script>
-
-<script src="common.sub.js"></script>
+<script src="resources/common.js"></script>
 
 <div id=log></div>
 <script>
diff --git a/html/cross-origin-opener/new_window_same_site.tentative.html.headers b/html/cross-origin-opener-policy/popup-same-site.https.html.headers
similarity index 100%
rename from html/cross-origin-opener/new_window_same_site.tentative.html.headers
rename to html/cross-origin-opener-policy/popup-same-site.https.html.headers
diff --git a/html/cross-origin-opener-policy/resources/common.js b/html/cross-origin-opener-policy/resources/common.js
new file mode 100644
index 00000000000000..b60093f1c62c5d
--- /dev/null
+++ b/html/cross-origin-opener-policy/resources/common.js
@@ -0,0 +1,36 @@
+const SAME_ORIGIN = {origin: get_host_info().HTTPS_ORIGIN, name: "SAME_ORIGIN"};
+const SAME_SITE = {origin: get_host_info().HTTPS_REMOTE_ORIGIN, name: "SAME_SITE"};
+const CROSS_ORIGIN = {origin: get_host_info().HTTPS_NOTSAMESITE_ORIGIN, name: "CROSS_ORIGIN"}
+
+function url_test(t, url, channelName, hasOpener) {
+  const bc = new BroadcastChannel(channelName);
+  bc.onmessage = t.step_func_done(event => {
+    const payload = event.data;
+    assert_equals(payload.name, hasOpener ? channelName : "");
+    assert_equals(payload.opener, hasOpener);
+  });
+
+  const w = window.open(url, channelName);
+
+  // w will be closed by its postback iframe. When out of process,
+  // window.close() does not work.
+  t.add_cleanup(() => w.close());
+}
+
+function coop_coep_test(t, host, coop, coep, channelName, hasOpener) {
+  url_test(t, `${host.origin}/html/cross-origin-opener-policy/resources/coop-coep.py?coop=${encodeURIComponent(coop)}&coep=${coep}&channel=${channelName}`, channelName, hasOpener);
+}
+
+function coop_test(t, host, coop, channelName, hasOpener) {
+  coop_coep_test(t, host, coop, "", channelName, hasOpener);
+}
+
+function run_coop_tests(documentCOOPValueTitle, testArray) {
+  for (const test of tests) {
+    async_test(t => {
+      coop_test(t, test[0], test[1],
+                `${mainTest}_to_${test[0].name}_${test[1].replace(/ /g,"-")}`,
+                test[2]);
+    }, `${documentCOOPValueTitle} document opening popup to ${test[0].origin} with COOP: "${test[1]}"`);
+  }
+}
diff --git a/html/cross-origin-opener-policy/resources/coop-coep.py b/html/cross-origin-opener-policy/resources/coop-coep.py
new file mode 100644
index 00000000000000..8b12341be7356c
--- /dev/null
+++ b/html/cross-origin-opener-policy/resources/coop-coep.py
@@ -0,0 +1,35 @@
+def main(request, response):
+    coop = request.GET.first("coop")
+    coep = request.GET.first("coep")
+    redirect = request.GET.first("redirect", None)
+    if coop != "":
+        response.headers.set("Cross-Origin-Opener-Policy", coop)
+    if coep != "":
+        response.headers.set("Cross-Origin-Embedder-Policy", coep)
+
+    if redirect != None:
+        response.status = 302
+        response.headers.set("Location", redirect)
+        return
+
+    # This uses an <iframe> as BroadcastChannel is same-origin bound.
+    response.content = """
+<!doctype html>
+<meta charset=utf-8>
+<script src="/common/get-host-info.sub.js"></script>
+<iframe></iframe>
+<script>
+  const navigate = new URL(location).searchParams.get("navigate");
+  if (navigate !== null) {
+    self.location = navigate;
+  } else {
+    const iframe = document.querySelector("iframe");
+    iframe.onload = () => {
+      const payload = { name: self.name, opener: !!self.opener };
+      iframe.contentWindow.postMessage(payload, "*");
+    };
+    const channelName = new URL(location).searchParams.get("channel");
+    iframe.src = `${get_host_info().HTTPS_ORIGIN}/html/cross-origin-opener-policy/resources/postback.html?channel=${channelName}`;
+  }
+</script>
+"""
diff --git a/html/cross-origin-opener-policy/resources/postback.html b/html/cross-origin-opener-policy/resources/postback.html
new file mode 100644
index 00000000000000..cf3c93bbe1d358
--- /dev/null
+++ b/html/cross-origin-opener-policy/resources/postback.html
@@ -0,0 +1,10 @@
+<!doctype html>
+<meta charset=utf-8>
+<script>
+const channelName = new URL(location).searchParams.get("channel");
+const bc = new BroadcastChannel(channelName);
+window.addEventListener("message", event => {
+  bc.postMessage(event.data);
+  window.parent.close();
+});
+</script>
diff --git a/html/cross-origin-opener-policy/resources/postback.html.headers b/html/cross-origin-opener-policy/resources/postback.html.headers
new file mode 100644
index 00000000000000..6604450991a122
--- /dev/null
+++ b/html/cross-origin-opener-policy/resources/postback.html.headers
@@ -0,0 +1 @@
+Cross-Origin-Embedder-Policy: require-corp
diff --git a/html/cross-origin-opener/common.sub.js b/html/cross-origin-opener/common.sub.js
deleted file mode 100644
index a73a95aba86252..00000000000000
--- a/html/cross-origin-opener/common.sub.js
+++ /dev/null
@@ -1,28 +0,0 @@
-const SAME_ORIGIN = {origin: get_host_info().HTTP_ORIGIN, name: "SAME_ORIGIN"};
-const SAME_SITE = {origin: get_host_info().HTTP_REMOTE_ORIGIN, name: "SAME_SITE"};
-const CROSS_ORIGIN = {origin: get_host_info().HTTP_NOTSAMESITE_ORIGIN, name: "CROSS_ORIGIN"}
-
-function coop_test(t, host, coop, channelName, hasOpener) {
-  let bc = new BroadcastChannel(channelName);
-  bc.onmessage = t.step_func_done((event) => {
-    let payload = event.data;
-    assert_equals(payload.name, hasOpener ? channelName : "");
-    assert_equals(payload.opener, hasOpener);
-  });
-
-  let w = window.open(`${host.origin}/html/cross-origin-opener/resources/coop_window.py?path=window.sub.html&coop=${escape(coop)}&channel=${channelName}`, channelName);
-
-  // w will be closed by its postback iframe. When out of process,
-  // window.close() does not work.
-  t.add_cleanup(() => w.close());
-}
-
-function run_coop_tests(mainTest, testArray) {
-  for (let test of tests) {
-   async_test(t => {
-    coop_test(t, test[0], test[1],
-              `${mainTest}_to_${test[0].name}_${test[1].replace(/ /g,"-")}`,
-              test[2]);
-  }, `${mainTest} document opening popup to ${test[0].origin} with COOP: "${test[1]}"`);
- }
-}
diff --git a/html/cross-origin-opener/resources/coop_window.py b/html/cross-origin-opener/resources/coop_window.py
deleted file mode 100644
index b24d6d55a9a368..00000000000000
--- a/html/cross-origin-opener/resources/coop_window.py
+++ /dev/null
@@ -1,10 +0,0 @@
-import urllib
-import os.path
-
-def main(request, response):
-    coop = request.GET.first('coop')
-    if coop:
-        response.headers.set('Cross-Origin-Opener-Policy', urllib.unquote(coop))
-
-    path = os.path.join(os.path.dirname(__file__), request.GET.first('path'))
-    response.content = open(path, mode='rb').read()
diff --git a/html/cross-origin-opener/resources/postback.sub.html b/html/cross-origin-opener/resources/postback.sub.html
deleted file mode 100644
index ee08bab4d55ed4..00000000000000
--- a/html/cross-origin-opener/resources/postback.sub.html
+++ /dev/null
@@ -1,13 +0,0 @@
-<!doctype html>
-<meta charset=utf-8>
-
-<script>
-
-let channelName = new URL(location).searchParams.get("channel");
-let bc = new BroadcastChannel(channelName);
-window.addEventListener("message", (event) => {
-  bc.postMessage(event.data);
-  window.parent.close();
-}, false);
-
-</script>
diff --git a/html/cross-origin-opener/resources/window.sub.html b/html/cross-origin-opener/resources/window.sub.html
deleted file mode 100644
index 524efe2588d08e..00000000000000
--- a/html/cross-origin-opener/resources/window.sub.html
+++ /dev/null
@@ -1,18 +0,0 @@
-<!doctype html>
-<meta charset=utf-8>
-
-<script src="/common/get-host-info.sub.js"></script>
-
-<script type="text/javascript">
-
-  window.addEventListener('load', function() {
-    let iframe = document.createElement("iframe");
-    iframe.onload = () => {
-      let payload = { name: self.name, opener: !!self.opener };
-      iframe.contentWindow.postMessage(payload, "*");
-    };
-    let channelName = new URL(location).searchParams.get("channel");
-    iframe.src = `${get_host_info().HTTP_ORIGIN}/html/cross-origin-opener/resources/postback.sub.html?channel=${channelName}`;
-    document.body.appendChild(iframe);
-  });
-</script>
diff --git a/html/cross-origin-opener/resources/window.sub.html.headers b/html/cross-origin-opener/resources/window.sub.html.headers
deleted file mode 100644
index 34bd099a302f89..00000000000000
--- a/html/cross-origin-opener/resources/window.sub.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Cross-Origin-Opener-Policy: same-site
diff --git a/html/cross-origin/anonymous.tentative.html b/html/cross-origin/anonymous.tentative.html
deleted file mode 100644
index ef9b9bb7b878a7..00000000000000
--- a/html/cross-origin/anonymous.tentative.html
+++ /dev/null
@@ -1,219 +0,0 @@
-<!doctype html>
-<meta name="timeout" content="long">
-<title>Cross-Origin header and nested navigable resource without such header</title>
-<script src=/resources/testharness.js></script>
-<script src=/resources/testharnessreport.js></script>
-<script src="/common/get-host-info.sub.js"></script>
-<div id=log></div>
-<script>
-async_test(t => {
-  const frame = document.createElement("iframe");
-  t.step_timeout(() => {
-    // Make sure the iframe didn't load.
-    assert_equals(frame.contentDocument, null);
-    t.done();
-  }, 500);
-  frame.src = "/common/blank.html";
-  document.body.append(frame);
-  assert_equals(frame.contentDocument.body.localName, "body");
-}, "Top-level with anonymous policy: navigating a frame to a null policy should fail.");
-
-async_test(t => {
-  const frame = document.createElement("iframe");
-
-  const CHANNEL_NAME = "frame-anon-to-blank";
-  let bc = new BroadcastChannel(CHANNEL_NAME);
-  bc.onmessage = t.step_func((event) => {
-    assert_not_equals(frame.contentDocument, null);
-    let payload = event.data;
-    assert_equals(payload, "loaded");
-    t.step_timeout(() => {
-      assert_equals(frame.contentDocument, null, "Navigation to null policy should fail");
-      t.done();
-    }, 1500);
-  });
-
-  frame.src = `resources/navigate_anonymous.sub.html?channelName=${CHANNEL_NAME}&to=/common/blank.html`;
-  document.body.append(frame);
-  assert_equals(frame.contentDocument.body.localName, "body");
-}, "Top-level with anonymous policy: navigating a frame from an anonymous policy to a null policy should fail.");
-
-
-async_test(t => {
-  const frame = document.createElement("iframe");
-
-  const CHANNEL_NAME = "frame-usecredentials-to-blank";
-  let bc = new BroadcastChannel(CHANNEL_NAME);
-  bc.onmessage = t.step_func((event) => {
-    assert_not_equals(frame.contentDocument, null);
-    let payload = event.data;
-    assert_equals(payload, "loaded");
-    t.step_timeout(() => {
-      assert_equals(frame.contentDocument, null, "Navigation to null policy should fail");
-      t.done();
-    }, 1500);
-  });
-  frame.src = `resources/navigate_usecredentials.sub.html?channelName=${CHANNEL_NAME}&to=/common/blank.html`;
-  document.body.append(frame);
-  assert_equals(frame.contentDocument.body.localName, "body");
-}, "Top-level with anonymous policy: navigating a frame from a use-credentials policy to a null policy should fail.");
-
-async_test(t => {
-  let pageLoaded = false;
-  const CHANNEL_NAME = "anon-null-window-noopener";
-  let bc = new BroadcastChannel(CHANNEL_NAME);
-  let finished = false;
-  bc.onmessage = t.step_func((event) => {
-    let payload = event.data;
-    assert_equals(payload, "loaded");
-    pageLoaded = true;
-  });
-
-  const SECOND_CHANNEL = "anon-null-window-noopener-second";
-  let bc2 = new BroadcastChannel(SECOND_CHANNEL);
-  bc2.onmessage = t.step_func_done((event) => {
-    let payload = event.data;
-    assert_equals(payload, "loaded");
-    assert_equals(pageLoaded, true, "Opening a null window (noopener) from anon window should work");
-  });
-
-  let win = window.open(`resources/navigate_null.sub.html?channelName=${CHANNEL_NAME}&to=navigate_null.sub.html?channelName=${SECOND_CHANNEL}`, "_blank", "noopener");
-}, "Top-level with anonymous policy: creating a noopener popup with null policy should work.");
-
-async_test(t => {
-  let pageLoaded = false;
-  const CHANNEL_NAME = "anon-null-window";
-  let bc = new BroadcastChannel(CHANNEL_NAME);
-  bc.onmessage = t.step_func_done((event) => {
-    pageLoaded = true;
-    let payload = event.data;
-    assert_equals(payload, "loaded");
-  });
-
-  let win = window.open(`resources/navigate_null.sub.html?channelName=${CHANNEL_NAME}&to=/common/blank.html`, "_blank");
-  t.add_cleanup(() => win.close());
-  t.step_timeout(() => {
-    assert_equals(pageLoaded, false, "Opening a null window from anon window should fail");
-    t.done();
-  }, 500);
-}, "Top-level with anonymous policy: creating a popup with null policy should fail.");
-
-async_test(t => {
-  let pageLoaded = false;
-  const CHANNEL_NAME = "anon-null-top-navigation";
-  let bc = new BroadcastChannel(CHANNEL_NAME);
-  bc.onmessage = t.step_func((event) => {
-    pageLoaded = true;
-    let payload = event.data;
-    assert_equals(payload, "loaded");
-  });
-
-  const SECOND_CHANNEL = "anon-null-top-navigation-final";
-  let bc2 = new BroadcastChannel(SECOND_CHANNEL);
-  bc2.onmessage = t.step_func_done((event) => {
-    let payload = event.data;
-    assert_equals(payload, "loaded");
-    assert_equals(pageLoaded, true, "Opening a null window (noopener) from anon window should work");
-  });
-
-  let win = window.open(`resources/navigate_anonymous.sub.html?channelName=${CHANNEL_NAME}&to=navigate_null.sub.html?channelName=${SECOND_CHANNEL}`, "_blank", "noopener");
-
-}, "Top-level noopener with anonymous policy: navigating to a different policy should work");
-
-promise_test(t => {
-  let host_info = get_host_info();
-  return fetch(host_info.HTTP_REMOTE_ORIGIN+"/html/cross-origin/resources/nothing.txt",
-        {"mode": "no-cors", "method": "GET", "headers":{}}).then(r => {
-    assert_equals(r.type, "cors", "type should have been changed to cors");
-  });
-}, "Fetch policy: anonymous policy no-cors fetches should be changed to cors");
-
-
-async_test(t => {
-  let pageLoaded = false;
-  const CHANNEL_NAME = "anon-null-window";
-  let bc = new BroadcastChannel(CHANNEL_NAME);
-  bc.onmessage = t.step_func_done((event) => {
-    pageLoaded = true;
-    let payload = event.data;
-    assert_equals(payload, "loaded");
-  });
-
-  const SECOND_CHANNEL = "anon-null-window-second";
-  let navigated = false;
-  let bc2 = new BroadcastChannel(SECOND_CHANNEL);
-  bc2.onmessage = t.step_func((event) => {
-    navigated = true;
-    let payload = event.data;
-    assert_equals(payload, "loaded");
-  });
-
-  let win = window.open(`resources/navigate_anonymous.sub.html?channelName=${CHANNEL_NAME}&to=navigate_null.sub.html?channelName=${SECOND_CHANNEL}`, "_blank");
-  t.add_cleanup(() => win.close());
-  t.step_timeout(() => {
-    assert_equals(pageLoaded, true, "Opening the popup window from anon window should work");
-    assert_equals(navigated, false, "Navigating the popup to a null policy should fail");
-    t.done();
-  }, 500);
-}, "Top-level popup with anonymous policy: Navigating the popup to a null policy should fail.");
-
-async_test(t => {
-  let pageLoaded = false;
-  const CHANNEL_NAME = "anon-null-window";
-  let bc = new BroadcastChannel(CHANNEL_NAME);
-  bc.onmessage = t.step_func_done((event) => {
-    pageLoaded = true;
-    let payload = event.data;
-    assert_equals(payload, "loaded");
-  });
-
-  const SECOND_CHANNEL = "anon-null-window-second";
-  let navigated = false;
-  let bc2 = new BroadcastChannel(SECOND_CHANNEL);
-  bc2.onmessage = t.step_func((event) => {
-    navigated = true;
-    let payload = event.data;
-    assert_equals(payload, "loaded");
-  });
-
-  let win = window.open(`resources/navigate_anonymous.sub.html?clearOpener=true&channelName=${CHANNEL_NAME}&to=navigate_null.sub.html?channelName=${SECOND_CHANNEL}`, "_blank");
-  t.add_cleanup(() => win.close());
-  t.step_timeout(() => {
-    assert_equals(pageLoaded, true, "Opening the popup window from anon window should work");
-    assert_equals(navigated, false, "Navigating the popup to a null policy should fail");
-    t.done();
-  }, 500);
-}, "Top-level popup with anonymous policy: Navigating the popup to a null policy should fail. (even when we clear the opener)");
-
-async_test(t => {
-  let popupLoaded = false;
-  const CHANNEL_NAME = "anon-null-window-no-opener";
-  let bc = new BroadcastChannel(CHANNEL_NAME);
-  bc.onmessage = t.step_func_done((event) => {
-    let payload = event.data;
-    if (payload == "loaded") {
-      t.step_timeout(() => {
-        assert_equals(popupLoaded, true, "Opening the popup window (noopener) from anon window should work");
-        assert_equals(navigated, false, "Navigating the popup to a null policy should fail");
-        t.done();
-      }, 500);
-    } else if (payload == "popup-loaded") {
-      popupLoaded = true;
-    } else {
-      assert_unreached(`unexpected payload ${payload}`);
-    }
-  });
-
-  const SECOND_CHANNEL = "anon-null-window-second-popup";
-  let navigated = false;
-  let bc2 = new BroadcastChannel(SECOND_CHANNEL);
-  bc2.onmessage = t.step_func((event) => {
-    navigated = true;
-    let payload = event.data;
-    assert_equals(payload, "loaded");
-  });
-
-  let win = window.open(`resources/popup_and_close.sub.html?channelName=${CHANNEL_NAME}&to=navigate_null.sub.html?channelName=${SECOND_CHANNEL}`, "_blank", "noopener");
-}, "Top-level popup with anonymous policy: Navigating the popup to a null policy should fail. (even opener window is closed)");
-
-</script>
diff --git a/html/cross-origin/anonymous.tentative.html.headers b/html/cross-origin/anonymous.tentative.html.headers
deleted file mode 100644
index a76b601291ec43..00000000000000
--- a/html/cross-origin/anonymous.tentative.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Cross-Origin: anonymous
diff --git a/html/cross-origin/null.tentative.html b/html/cross-origin/null.tentative.html
deleted file mode 100644
index ae871c4a273533..00000000000000
--- a/html/cross-origin/null.tentative.html
+++ /dev/null
@@ -1,103 +0,0 @@
-<!doctype html>
-<meta name="timeout" content="long">
-<title>Cross-Origin header and nested navigable resource without such header</title>
-<script src=/resources/testharness.js></script>
-<script src=/resources/testharnessreport.js></script>
-<script src="/common/get-host-info.sub.js"></script>
-<div id=log></div>
-<script>
-async_test(t => {
-  const frame = document.createElement("iframe");
-  frame.onload = t.step_func_done(() => {
-    assert_not_equals(frame.contentDocument, null, "The frame should actually load");
-  });
-  frame.src = "/common/blank.html";
-  document.body.append(frame);
-  assert_equals(frame.contentDocument.body.localName, "body");
-}, "Top-level with null policy: navigating a frame to a null policy should work.");
-
-async_test(t => {
-  const frame = document.createElement("iframe");
-  let firstNavOk = false;
-  frame.onload = t.step_func(() => {
-    assert_not_equals(frame.contentDocument, null);
-    firstNavOk = true;
-  });
-  t.step_timeout(() => {
-    assert_equals(firstNavOk, true, "The initial load should work");
-    assert_not_equals(frame.contentDocument, null, "Navigation to null policy should fail");
-    t.done();
-  }, 500);
-  frame.src = "resources/navigate_anonymous.sub.html?to=/common/blank.html";
-  document.body.append(frame);
-  assert_equals(frame.contentDocument.body.localName, "body");
-}, "Top-level with null policy: parent policy should apply to frame navigation from use-credentials policy to a null. Should succeed.");
-
-async_test(t => {
-  const frame = document.createElement("iframe");
-  let firstNavOk = false;
-  frame.onload = t.step_func(() => {
-    assert_not_equals(frame.contentDocument, null);
-    firstNavOk = true;
-  });
-  t.step_timeout(() => {
-    assert_equals(firstNavOk, true, "The initial load should work");
-    assert_not_equals(frame.contentDocument, null, "Navigation to null policy should fail");
-    t.done();
-  }, 500);
-  frame.src = "resources/navigate_anonymous.sub.html?to=/common/blank.html";
-  document.body.append(frame);
-  assert_equals(frame.contentDocument.body.localName, "body");
-}, "Top-level with null policy: parent policy should apply to frame navigation from anonymous policy to a null. Should succeed.");
-
-async_test(t => {
-  let w = window.open(`resources/navigate_null.sub.html?to=navigate_anonymous.sub.html`, "window_name");
-
-  t.add_cleanup(() => w.close());
-
-  t.step_timeout(() => {
-    w.history.back();
-    t.step_timeout(() => {
-      assert_not_equals(w.document, null);
-      t.done();
-    }, 500);
-  }, 500);
-}, "Top-level with null policy: navigating a frame back from a blocked page should work.");
-
-async_test(t => {
-  let pageLoaded = false;
-  const CHANNEL_NAME = "usecredentials-null-top-navigation";
-  let bc = new BroadcastChannel(CHANNEL_NAME);
-  let finished = false;
-  bc.onmessage = t.step_func((event) => {
-    pageLoaded = true;
-    let payload = event.data;
-    assert_equals(payload, "loaded");
-  });
-
-  const SECOND_CHANNEL = "usecredentials-null-top-navigation-final";
-  let bc2 = new BroadcastChannel(SECOND_CHANNEL);
-  bc2.onmessage = t.step_func((event) => {
-    finished = true;
-    let payload = event.data;
-    assert_equals(payload, "loaded");
-  });
-
-  let win = window.open(`resources/navigate_usecredentials.sub.html?channelName=${CHANNEL_NAME}&to=navigate_null.sub.html?channelName=${SECOND_CHANNEL}`, "_blank", "noopener");
-
-  t.step_timeout(() => {
-    assert_equals(pageLoaded, true, "Opening a null window (noopener) from usecredentials window should work");
-    assert_equals(finished, true, "Navigating a top level window out of an usecredentials policy should work");
-    t.done();
-  }, 500);
-}, "Top-level noopener popup with use-credentials policy: navigating to a different (null) policy should work");
-
-promise_test(t => {
-  let host_info = get_host_info();
-  return fetch(host_info.HTTP_REMOTE_ORIGIN+"/html/cross-origin/resources/nothing.txt",
-        {"mode": "no-cors", "method": "GET", "headers":{}}).then(r => {
-    assert_equals(r.type, "opaque", "type should be opaque for cross origin fetch");
-  });
-}, "Fetch policy: null policy should not affect the no-cors mode");
-
-</script>
diff --git a/html/cross-origin/null.tentative.html.headers b/html/cross-origin/null.tentative.html.headers
deleted file mode 100644
index fd34f127d558b1..00000000000000
--- a/html/cross-origin/null.tentative.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Cross-Origin: unknown-should-be-parsed-as-null
diff --git a/html/cross-origin/resources/navigate_anonymous.sub.html.headers b/html/cross-origin/resources/navigate_anonymous.sub.html.headers
deleted file mode 100644
index a76b601291ec43..00000000000000
--- a/html/cross-origin/resources/navigate_anonymous.sub.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Cross-Origin: anonymous
diff --git a/html/cross-origin/resources/navigate_usecredentials.sub.html b/html/cross-origin/resources/navigate_usecredentials.sub.html
deleted file mode 100644
index 1008f70ff123ae..00000000000000
--- a/html/cross-origin/resources/navigate_usecredentials.sub.html
+++ /dev/null
@@ -1,18 +0,0 @@
-<!doctype html>
-<script>
-  let current = new URL(window.location.href);
-  let navigateTo = current.searchParams.get("to");
-  let channelName = current.searchParams.get("channelName");
-  current.search = "";
-  if (navigateTo) {
-    let next = new URL(navigateTo, current);
-    setTimeout(() => {
-      window.location = next.href;
-    }, 50);
-  }
-
-  if (channelName) {
-    let bc = new BroadcastChannel(channelName);
-    bc.postMessage("loaded");
-  }
-</script>
diff --git a/html/cross-origin/resources/navigate_usecredentials.sub.html.headers b/html/cross-origin/resources/navigate_usecredentials.sub.html.headers
deleted file mode 100644
index a84d3782037e7a..00000000000000
--- a/html/cross-origin/resources/navigate_usecredentials.sub.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Cross-Origin: use-credentials
diff --git a/html/cross-origin/resources/nothing.txt b/html/cross-origin/resources/nothing.txt
deleted file mode 100644
index 9dafe9be2099a3..00000000000000
--- a/html/cross-origin/resources/nothing.txt
+++ /dev/null
@@ -1 +0,0 @@
-nothing
diff --git a/html/cross-origin/resources/nothing.txt.headers b/html/cross-origin/resources/nothing.txt.headers
deleted file mode 100644
index cb762eff806849..00000000000000
--- a/html/cross-origin/resources/nothing.txt.headers
+++ /dev/null
@@ -1 +0,0 @@
-Access-Control-Allow-Origin: *
diff --git a/html/cross-origin/resources/popup_and_close.sub.html b/html/cross-origin/resources/popup_and_close.sub.html
deleted file mode 100644
index 2489fa8d2470df..00000000000000
--- a/html/cross-origin/resources/popup_and_close.sub.html
+++ /dev/null
@@ -1,18 +0,0 @@
-<!doctype html>
-<script>
-  let current = new URL(window.location.href);
-  let navigateTo = current.searchParams.get("to");
-  let channelName = current.searchParams.get("channelName");
-  let secondChannel = current.searchParams.get("secondChannel");
-
-  if (channelName) {
-    let bc = new BroadcastChannel(channelName);
-    bc.postMessage("popup-loaded");
-  }
-
-  let win = window.open(`navigate_anonymous.sub.html?channelName=${channelName}&to=navigate_null.sub.html?channelName=${secondChannel}`, "_blank");
-
-  setTimeout(() => {
-    window.close();
-  }, 10);
-</script>
diff --git a/html/cross-origin/resources/popup_and_close.sub.html.headers b/html/cross-origin/resources/popup_and_close.sub.html.headers
deleted file mode 100644
index a76b601291ec43..00000000000000
--- a/html/cross-origin/resources/popup_and_close.sub.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Cross-Origin: anonymous
diff --git a/html/cross-origin/usecredentials.tentative.html b/html/cross-origin/usecredentials.tentative.html
deleted file mode 100644
index 55c0f2235db27a..00000000000000
--- a/html/cross-origin/usecredentials.tentative.html
+++ /dev/null
@@ -1,54 +0,0 @@
-<!doctype html>
-<meta name="timeout" content="long">
-<title>Cross-Origin header and nested navigable resource without such header</title>
-<script src=/resources/testharness.js></script>
-<script src=/resources/testharnessreport.js></script>
-<div id=log></div>
-<script>
-async_test(t => {
-  const frame = document.createElement("iframe");
-  t.step_timeout(() => {
-    // Make sure the iframe didn't load.
-    assert_equals(frame.contentDocument, null);
-    t.done();
-  }, 500);
-  frame.src = "/common/blank.html";
-  document.body.append(frame);
-  assert_equals(frame.contentDocument.body.localName, "body");
-}, "Top-level with use-credentials policy: navigating a frame to a null policy should fail.");
-
-async_test(t => {
-  const frame = document.createElement("iframe");
-  let firstNavOk = false;
-  frame.onload = t.step_func(() => {
-    assert_not_equals(frame.contentDocument, null);
-    firstNavOk = true;
-  });
-  t.step_timeout(() => {
-    assert_equals(firstNavOk, true, "The initial load should work");
-    assert_equals(frame.contentDocument, null, "Navigation to null policy should fail");
-    t.done();
-  }, 500);
-  frame.src = "resources/navigate_usecredentials.sub.html?to=/common/blank.html";
-  document.body.append(frame);
-  assert_equals(frame.contentDocument.body.localName, "body");
-}, "Top-level with use-credentials policy: navigating a frame from a use-credentials policy to a null policy should fail");
-
-async_test(t => {
-  const frame = document.createElement("iframe");
-  let firstNavOk = false;
-  frame.onload = t.step_func(() => {
-    assert_not_equals(frame.contentDocument, null);
-    firstNavOk = true;
-  });
-  t.step_timeout(() => {
-    assert_equals(firstNavOk, true, "The initial load should work");
-    assert_equals(frame.contentDocument, null, "Navigation to null policy should fail");
-    t.done();
-  }, 500);
-  frame.src = "resources/navigate_anonymous.sub.html?to=/common/blank.html";
-  document.body.append(frame);
-  assert_equals(frame.contentDocument.body.localName, "body");
-}, "Top-level with use-credentials policy: navigating a frame from an anonymous policy to a null policy should fail.");
-
-</script>
diff --git a/html/cross-origin/usecredentials.tentative.html.headers b/html/cross-origin/usecredentials.tentative.html.headers
deleted file mode 100644
index a84d3782037e7a..00000000000000
--- a/html/cross-origin/usecredentials.tentative.html.headers
+++ /dev/null
@@ -1 +0,0 @@
-Cross-Origin: use-credentials
diff --git a/lint.whitelist b/lint.whitelist
index ea899da8b3c7a8..669038166ab38e 100644
--- a/lint.whitelist
+++ b/lint.whitelist
@@ -309,6 +309,8 @@ SET TIMEOUT: css/css-fonts/font-display/font-display-feature-policy-01.tentative
 SET TIMEOUT: css/css-fonts/font-display/font-display-feature-policy-02.tentative.html
 SET TIMEOUT: css/css-fonts/font-display/font-display-preload.html
 SET TIMEOUT: html/browsers/windows/auxiliary-browsing-contexts/resources/close-opener.html
+SET TIMEOUT: html/cross-origin-embedder-policy/resources/navigate-none.sub.html
+SET TIMEOUT: html/cross-origin-embedder-policy/resources/navigate-require-corp.sub.html
 SET TIMEOUT: html/dom/documents/dom-tree-accessors/Document.currentScript.html
 SET TIMEOUT: html/webappapis/timers/*
 SET TIMEOUT: resources/chromium/*