From f5cd3ab6bbe04f24c23a773718513e797953ad17 Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@chromium.org>
Date: Tue, 30 Apr 2024 01:59:34 -0700
Subject: [PATCH] [WIP] Sketching out `Sec-Fetch-Ancestors`

https://github.com/w3c/webappsec-fetch-metadata/issues/56

Change-Id: I91e072ddd777150c973ad24f3f729cb2fd979232
---
 ...appcache-manifest.https.sub.tentative.html |  88 +++++++
 .../audioworklet.https.sub.tentative.html     |  76 ++++++
 .../css-font-face.https.sub.tentative.html    |  33 +++
 .../css-font-face.sub.tentative.html          |  30 +++
 .../css-images.https.sub.tentative.html       | 225 ++++++++++++++++++
 .../generated/css-images.sub.tentative.html   | 210 ++++++++++++++++
 .../element-a.https.sub.tentative.html        | 102 ++++++++
 .../generated/element-a.sub.tentative.html    |  99 ++++++++
 .../element-area.https.sub.tentative.html     | 102 ++++++++
 .../generated/element-area.sub.tentative.html |  99 ++++++++
 .../element-audio.https.sub.tentative.html    |  74 ++++++
 .../element-audio.sub.tentative.html          |  71 ++++++
 .../element-embed.https.sub.tentative.html    |  71 ++++++
 .../element-embed.sub.tentative.html          |  68 ++++++
 .../element-frame.https.sub.tentative.html    |  83 +++++++
 .../element-frame.sub.tentative.html          |  80 +++++++
 .../element-iframe.https.sub.tentative.html   |  83 +++++++
 .../element-iframe.sub.tentative.html         |  80 +++++++
 ...nvironment-change.https.sub.tentative.html | 103 ++++++++
 ...-img-environment-change.sub.tentative.html | 100 ++++++++
 .../element-img.https.sub.tentative.html      | 122 ++++++++++
 .../generated/element-img.sub.tentative.html  | 116 +++++++++
 ...ement-input-image.https.sub.tentative.html |  65 +++++
 .../element-input-image.sub.tentative.html    |  62 +++++
 ...element-link-icon.https.sub.tentative.html |  99 ++++++++
 .../element-link-icon.sub.tentative.html      |  96 ++++++++
 ...prefetch.https.optional.sub.tentative.html |  95 ++++++++
 ...-link-prefetch.optional.sub.tentative.html |  92 +++++++
 ...-refresh.https.optional.sub.tentative.html |  82 +++++++
 ...t-meta-refresh.optional.sub.tentative.html |  79 ++++++
 .../element-picture.https.sub.tentative.html  | 184 ++++++++++++++
 .../element-picture.sub.tentative.html        | 175 ++++++++++++++
 .../element-script.https.sub.tentative.html   | 130 ++++++++++
 .../element-script.sub.tentative.html         | 124 ++++++++++
 ...ment-video-poster.https.sub.tentative.html |  79 ++++++
 .../element-video-poster.sub.tentative.html   |  76 ++++++
 .../element-video.https.sub.tentative.html    |  74 ++++++
 .../element-video.sub.tentative.html          |  71 ++++++
 ...via-serviceworker.https.sub.tentative.html | 140 +++++++++++
 .../generated/fetch.https.sub.tentative.html  |  65 +++++
 .../generated/fetch.sub.tentative.html        |  62 +++++
 .../form-submission.https.sub.tentative.html  | 138 +++++++++++
 .../form-submission.sub.tentative.html        | 132 ++++++++++
 .../header-link.https.sub.tentative.html      |  90 +++++++
 .../generated/header-link.sub.tentative.html  | 120 ++++++++++
 ...-refresh.https.optional.sub.tentative.html |  78 ++++++
 ...header-refresh.optional.sub.tentative.html |  75 ++++++
 ...le-import-dynamic.https.sub.tentative.html |  59 +++++
 ...t-module-import-dynamic.sub.tentative.html |  56 +++++
 ...ule-import-static.https.sub.tentative.html |  79 ++++++
 ...pt-module-import-static.sub.tentative.html |  76 ++++++
 .../serviceworker.https.sub.tentative.html    |  60 +++++
 .../svg-image.https.sub.tentative.html        |  97 ++++++++
 .../generated/svg-image.sub.tentative.html    |  94 ++++++++
 .../window-history.https.sub.tentative.html   | 167 +++++++++++++
 .../window-history.sub.tentative.html         | 161 +++++++++++++
 .../window-location.https.sub.tentative.html  | 225 ++++++++++++++++++
 .../window-location.sub.tentative.html        | 213 +++++++++++++++++
 ...r-dedicated-constructor.sub.tentative.html |  39 +++
 ...ted-importscripts.https.sub.tentative.html |  73 ++++++
 ...dedicated-importscripts.sub.tentative.html |  70 ++++++
 fetch/metadata/tools/fetch-metadata.conf.yml  |  84 ++++++-
 62 files changed, 6150 insertions(+), 1 deletion(-)
 create mode 100644 fetch/metadata/generated/appcache-manifest.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/audioworklet.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-a.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-a.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-area.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-area.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-audio.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-audio.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-embed.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-embed.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-frame.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-frame.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-iframe.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-iframe.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-img-environment-change.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-img-environment-change.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-img.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-img.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-input-image.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-input-image.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-link-icon.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-link-icon.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-link-prefetch.https.optional.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-link-prefetch.optional.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-meta-refresh.https.optional.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-meta-refresh.optional.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-picture.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-picture.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-script.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-script.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-video-poster.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-video-poster.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-video.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/element-video.sub.tentative.html
 create mode 100644 fetch/metadata/generated/fetch-via-serviceworker.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/fetch.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/fetch.sub.tentative.html
 create mode 100644 fetch/metadata/generated/form-submission.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/form-submission.sub.tentative.html
 create mode 100644 fetch/metadata/generated/header-link.sub.tentative.html
 create mode 100644 fetch/metadata/generated/header-refresh.https.optional.sub.tentative.html
 create mode 100644 fetch/metadata/generated/header-refresh.optional.sub.tentative.html
 create mode 100644 fetch/metadata/generated/script-module-import-dynamic.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/script-module-import-dynamic.sub.tentative.html
 create mode 100644 fetch/metadata/generated/script-module-import-static.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/script-module-import-static.sub.tentative.html
 create mode 100644 fetch/metadata/generated/serviceworker.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/svg-image.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/svg-image.sub.tentative.html
 create mode 100644 fetch/metadata/generated/window-history.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/window-history.sub.tentative.html
 create mode 100644 fetch/metadata/generated/window-location.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/window-location.sub.tentative.html
 create mode 100644 fetch/metadata/generated/worker-dedicated-constructor.sub.tentative.html
 create mode 100644 fetch/metadata/generated/worker-dedicated-importscripts.https.sub.tentative.html
 create mode 100644 fetch/metadata/generated/worker-dedicated-importscripts.sub.tentative.html

diff --git a/fetch/metadata/generated/appcache-manifest.https.sub.tentative.html b/fetch/metadata/generated/appcache-manifest.https.sub.tentative.html
new file mode 100644
index 00000000000000..108b7e9f6efd3f
--- /dev/null
+++ b/fetch/metadata/generated/appcache-manifest.https.sub.tentative.html
@@ -0,0 +1,88 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/appcache-manifest.sub.https.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for Appcache manifest</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url) {
+    const iframe = document.createElement('iframe');
+    iframe.src =
+      '/fetch/metadata/resources/appcache-iframe.sub.html?manifest=' + encodeURIComponent(url);
+
+    return new Promise((resolve) => {
+        addEventListener('message', function onMessage(event) {
+          if (event.source !== iframe.contentWindow) {
+            return;
+          }
+          removeEventListener('message', onMessage);
+          resolve(event.data);
+        });
+
+        document.body.appendChild(iframe);
+      })
+      .then((message) => {
+        if (message !== 'okay') {
+          throw message;
+        }
+      })
+      .then(() => iframe.remove());
+  }
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    assert_implements_optional(
+      !!window.applicationCache, 'Application Cache supported.'
+    );
+
+    induceRequest(makeRequestURL(key, ['httpsOrigin']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+      })
+      .then(() => t.done(), t.step_func((error) => { throw error; }));
+  }, 'sec-fetch-frame-ancestors - Same origin');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    assert_implements_optional(
+      !!window.applicationCache, 'Application Cache supported.'
+    );
+
+    induceRequest(makeRequestURL(key, ['httpsCrossSite']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+      })
+      .then(() => t.done(), t.step_func((error) => { throw error; }));
+  }, 'sec-fetch-frame-ancestors - Cross-site');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    assert_implements_optional(
+      !!window.applicationCache, 'Application Cache supported.'
+    );
+
+    induceRequest(makeRequestURL(key, ['httpsSameSite']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+      })
+      .then(() => t.done(), t.step_func((error) => { throw error; }));
+  }, 'sec-fetch-frame-ancestors - Same site');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/audioworklet.https.sub.tentative.html b/fetch/metadata/generated/audioworklet.https.sub.tentative.html
new file mode 100644
index 00000000000000..083fee2985492f
--- /dev/null
+++ b/fetch/metadata/generated/audioworklet.https.sub.tentative.html
@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/audioworklet.https.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for AudioWorklet module</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/resources/testdriver.js"></script>
+  <script src="/resources/testdriver-vendor.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, test) {
+    return test_driver.bless(
+      'Enable WebAudio playback',
+      () => {
+        const audioContext = new AudioContext();
+
+        test.add_cleanup(() => audioContext.close());
+
+        return audioContext.audioWorklet.addModule(url);
+      }
+    );
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin'], {mime: 'text/javascript'}),
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite'], {mime: 'text/javascript'}),
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite'], {mime: 'text/javascript'}),
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/css-font-face.https.sub.tentative.html b/fetch/metadata/generated/css-font-face.https.sub.tentative.html
index 332effeb1f80a5..170657a6b55a0d 100644
--- a/fetch/metadata/generated/css-font-face.https.sub.tentative.html
+++ b/fetch/metadata/generated/css-font-face.https.sub.tentative.html
@@ -194,6 +194,39 @@
       });
   }, 'sec-fetch-site - Same-Site -> Cross-Site');
 
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpsOrigin']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+      });
+  }, 'sec-fetch-frame-ancestors - Same origin');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpsCrossSite']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+      });
+  }, 'sec-fetch-frame-ancestors - Cross-site');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpsSameSite']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+      });
+  }, 'sec-fetch-frame-ancestors - Same site');
+
   promise_test((t) => {
     const key = '{{uuid()}}';
 
diff --git a/fetch/metadata/generated/css-font-face.sub.tentative.html b/fetch/metadata/generated/css-font-face.sub.tentative.html
index 8a0b90cee103db..6fc930183ceb37 100644
--- a/fetch/metadata/generated/css-font-face.sub.tentative.html
+++ b/fetch/metadata/generated/css-font-face.sub.tentative.html
@@ -160,6 +160,36 @@
       });
   }, 'sec-fetch-user - Not sent to non-trustworthy cross-site destination');
 
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpOrigin']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpSameSite']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpCrossSite']))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+
   promise_test((t) => {
     const key = '{{uuid()}}';
 
diff --git a/fetch/metadata/generated/css-images.https.sub.tentative.html b/fetch/metadata/generated/css-images.https.sub.tentative.html
index 3fa240192894e0..aceca20c3caf13 100644
--- a/fetch/metadata/generated/css-images.https.sub.tentative.html
+++ b/fetch/metadata/generated/css-images.https.sub.tentative.html
@@ -1154,6 +1154,231 @@
       .then(t.step_func_done(), t.unreached_func());
   }, 'list-style-image sec-fetch-site - HTTPS downgrade-upgrade');
 
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsOrigin']);
+
+    declarations.push(`background-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_equals(headers['sec-fetch-frame-ancestors'], 'same-origin');
+        })
+        .then(t.step_func_done(), (error) => t.unreached_func());
+  }, 'background-image sec-fetch-frame-ancestors - Same origin');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsOrigin']);
+
+    declarations.push(`border-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'border-image sec-fetch-frame-ancestors - Same origin');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsOrigin']);
+
+    declarations.push(`content: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'content sec-fetch-frame-ancestors - Same origin');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsOrigin']);
+
+    declarations.push(`cursor: url("${url}"), auto;`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'cursor sec-fetch-frame-ancestors - Same origin');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsOrigin']);
+
+    declarations.push(`list-style-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'list-style-image sec-fetch-frame-ancestors - Same origin');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsCrossSite']);
+
+    declarations.push(`background-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_equals(headers['sec-fetch-frame-ancestors'], 'cross-site');
+        })
+        .then(t.step_func_done(), (error) => t.unreached_func());
+  }, 'background-image sec-fetch-frame-ancestors - Cross-site');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsCrossSite']);
+
+    declarations.push(`border-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'border-image sec-fetch-frame-ancestors - Cross-site');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsCrossSite']);
+
+    declarations.push(`content: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'content sec-fetch-frame-ancestors - Cross-site');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsCrossSite']);
+
+    declarations.push(`cursor: url("${url}"), auto;`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'cursor sec-fetch-frame-ancestors - Cross-site');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsCrossSite']);
+
+    declarations.push(`list-style-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'list-style-image sec-fetch-frame-ancestors - Cross-site');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsSameSite']);
+
+    declarations.push(`background-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_equals(headers['sec-fetch-frame-ancestors'], 'same-site');
+        })
+        .then(t.step_func_done(), (error) => t.unreached_func());
+  }, 'background-image sec-fetch-frame-ancestors - Same site');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsSameSite']);
+
+    declarations.push(`border-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'border-image sec-fetch-frame-ancestors - Same site');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsSameSite']);
+
+    declarations.push(`content: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'content sec-fetch-frame-ancestors - Same site');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsSameSite']);
+
+    declarations.push(`cursor: url("${url}"), auto;`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'cursor sec-fetch-frame-ancestors - Same site');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsSameSite']);
+
+    declarations.push(`list-style-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'list-style-image sec-fetch-frame-ancestors - Same site');
+
   async_test((t) => {
     const key = '{{uuid()}}';
     const url = makeRequestURL(key, []);
diff --git a/fetch/metadata/generated/css-images.sub.tentative.html b/fetch/metadata/generated/css-images.sub.tentative.html
index f1ef27cf08730e..12f695d5220493 100644
--- a/fetch/metadata/generated/css-images.sub.tentative.html
+++ b/fetch/metadata/generated/css-images.sub.tentative.html
@@ -869,6 +869,216 @@
       .then(t.step_func_done(), t.unreached_func());
   }, 'list-style-image sec-fetch-user - Not sent to non-trustworthy cross-site destination');
 
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpOrigin']);
+
+    declarations.push(`background-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        })
+        .then(t.step_func_done(), (error) => t.unreached_func());
+  }, 'background-image sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpOrigin']);
+
+    declarations.push(`border-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'border-image sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpOrigin']);
+
+    declarations.push(`content: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'content sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpOrigin']);
+
+    declarations.push(`cursor: url("${url}"), auto;`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'cursor sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpOrigin']);
+
+    declarations.push(`list-style-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'list-style-image sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpSameSite']);
+
+    declarations.push(`background-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        })
+        .then(t.step_func_done(), (error) => t.unreached_func());
+  }, 'background-image sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpSameSite']);
+
+    declarations.push(`border-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'border-image sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpSameSite']);
+
+    declarations.push(`content: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'content sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpSameSite']);
+
+    declarations.push(`cursor: url("${url}"), auto;`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'cursor sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpSameSite']);
+
+    declarations.push(`list-style-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'list-style-image sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpCrossSite']);
+
+    declarations.push(`background-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        })
+        .then(t.step_func_done(), (error) => t.unreached_func());
+  }, 'background-image sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpCrossSite']);
+
+    declarations.push(`border-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'border-image sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpCrossSite']);
+
+    declarations.push(`content: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'content sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpCrossSite']);
+
+    declarations.push(`cursor: url("${url}"), auto;`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'cursor sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+
+  async_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpCrossSite']);
+
+    declarations.push(`list-style-image: url("${url}");`);
+
+    whenIframeReady
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        })
+      .then(t.step_func_done(), t.unreached_func());
+  }, 'list-style-image sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+
   async_test((t) => {
     const key = '{{uuid()}}';
     const url = makeRequestURL(key, ['httpsOrigin', 'httpOrigin']);
diff --git a/fetch/metadata/generated/element-a.https.sub.tentative.html b/fetch/metadata/generated/element-a.https.sub.tentative.html
new file mode 100644
index 00000000000000..bc7ec992219061
--- /dev/null
+++ b/fetch/metadata/generated/element-a.https.sub.tentative.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-a.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "a" element navigation</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, {test, userActivated, attributes}) {
+    const win = window.open();
+    const anchor = win.document.createElement('a');
+    anchor.setAttribute('href', url);
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      anchor.setAttribute(name, value);
+    }
+
+    win.document.body.appendChild(anchor);
+
+    test.add_cleanup(() => win.close());
+
+    if (userActivated) {
+      test_driver.bless('enable user activation', () => anchor.click());
+    } else {
+      anchor.click();
+    }
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      makeRequestURL(key, ['httpsOrigin'], {mime: 'text/html'}),
+      {
+        test: t,
+        userActivated: false,
+        attributes: {}
+      }
+    );
+
+    // `induceRequest` does not necessarily trigger a navigation, so the Python
+    // handler must be polled until it has received the initial request.
+    return retrieve(key, {poll: true})
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin - no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      makeRequestURL(key, ['httpsCrossSite'], {mime: 'text/html'}),
+      {
+        test: t,
+        userActivated: false,
+        attributes: {}
+      }
+    );
+
+    // `induceRequest` does not necessarily trigger a navigation, so the Python
+    // handler must be polled until it has received the initial request.
+    return retrieve(key, {poll: true})
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site - no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      makeRequestURL(key, ['httpsSameSite'], {mime: 'text/html'}),
+      {
+        test: t,
+        userActivated: false,
+        attributes: {}
+      }
+    );
+
+    // `induceRequest` does not necessarily trigger a navigation, so the Python
+    // handler must be polled until it has received the initial request.
+    return retrieve(key, {poll: true})
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site - no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-a.sub.tentative.html b/fetch/metadata/generated/element-a.sub.tentative.html
new file mode 100644
index 00000000000000..dfc4d7298a9a11
--- /dev/null
+++ b/fetch/metadata/generated/element-a.sub.tentative.html
@@ -0,0 +1,99 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-a.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "a" element navigation</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, {test, userActivated, attributes}) {
+    const win = window.open();
+    const anchor = win.document.createElement('a');
+    anchor.setAttribute('href', url);
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      anchor.setAttribute(name, value);
+    }
+
+    win.document.body.appendChild(anchor);
+
+    test.add_cleanup(() => win.close());
+
+    if (userActivated) {
+      test_driver.bless('enable user activation', () => anchor.click());
+    } else {
+      anchor.click();
+    }
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      makeRequestURL(key, ['httpOrigin'], {mime: 'text/html'}),
+      {
+        test: t,
+        userActivated: false,
+        attributes: {}
+      }
+    );
+
+    // `induceRequest` does not necessarily trigger a navigation, so the Python
+    // handler must be polled until it has received the initial request.
+    return retrieve(key, {poll: true})
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination - no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      makeRequestURL(key, ['httpSameSite'], {mime: 'text/html'}),
+      {
+        test: t,
+        userActivated: false,
+        attributes: {}
+      }
+    );
+
+    // `induceRequest` does not necessarily trigger a navigation, so the Python
+    // handler must be polled until it has received the initial request.
+    return retrieve(key, {poll: true})
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination - no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      makeRequestURL(key, ['httpCrossSite'], {mime: 'text/html'}),
+      {
+        test: t,
+        userActivated: false,
+        attributes: {}
+      }
+    );
+
+    // `induceRequest` does not necessarily trigger a navigation, so the Python
+    // handler must be polled until it has received the initial request.
+    return retrieve(key, {poll: true})
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination - no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-area.https.sub.tentative.html b/fetch/metadata/generated/element-area.https.sub.tentative.html
new file mode 100644
index 00000000000000..97d88e14b35f23
--- /dev/null
+++ b/fetch/metadata/generated/element-area.https.sub.tentative.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-area.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "area" element navigation</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, {test, userActivated, attributes}) {
+    const win = window.open();
+    const area = win.document.createElement('area');
+    area.setAttribute('href', url);
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      area.setAttribute(name, value);
+    }
+
+    win.document.body.appendChild(area);
+
+    test.add_cleanup(() => win.close());
+
+    if (userActivated) {
+      test_driver.bless('enable user activation', () => area.click());
+    } else {
+      area.click();
+    }
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      makeRequestURL(key, ['httpsOrigin'], {mime: 'text/html'}),
+      {
+        test: t,
+        userActivated: false,
+        attributes: {}
+      }
+    );
+
+    // `induceRequest` does not necessarily trigger a navigation, so the Python
+    // handler must be polled until it has received the initial request.
+    return retrieve(key, {poll: true})
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin - no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      makeRequestURL(key, ['httpsCrossSite'], {mime: 'text/html'}),
+      {
+        test: t,
+        userActivated: false,
+        attributes: {}
+      }
+    );
+
+    // `induceRequest` does not necessarily trigger a navigation, so the Python
+    // handler must be polled until it has received the initial request.
+    return retrieve(key, {poll: true})
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site - no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      makeRequestURL(key, ['httpsSameSite'], {mime: 'text/html'}),
+      {
+        test: t,
+        userActivated: false,
+        attributes: {}
+      }
+    );
+
+    // `induceRequest` does not necessarily trigger a navigation, so the Python
+    // handler must be polled until it has received the initial request.
+    return retrieve(key, {poll: true})
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site - no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-area.sub.tentative.html b/fetch/metadata/generated/element-area.sub.tentative.html
new file mode 100644
index 00000000000000..9002a6ed2e99e6
--- /dev/null
+++ b/fetch/metadata/generated/element-area.sub.tentative.html
@@ -0,0 +1,99 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-area.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "area" element navigation</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, {test, userActivated, attributes}) {
+    const win = window.open();
+    const area = win.document.createElement('area');
+    area.setAttribute('href', url);
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      area.setAttribute(name, value);
+    }
+
+    win.document.body.appendChild(area);
+
+    test.add_cleanup(() => win.close());
+
+    if (userActivated) {
+      test_driver.bless('enable user activation', () => area.click());
+    } else {
+      area.click();
+    }
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      makeRequestURL(key, ['httpOrigin'], {mime: 'text/html'}),
+      {
+        test: t,
+        userActivated: false,
+        attributes: {}
+      }
+    );
+
+    // `induceRequest` does not necessarily trigger a navigation, so the Python
+    // handler must be polled until it has received the initial request.
+    return retrieve(key, {poll: true})
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination - no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      makeRequestURL(key, ['httpSameSite'], {mime: 'text/html'}),
+      {
+        test: t,
+        userActivated: false,
+        attributes: {}
+      }
+    );
+
+    // `induceRequest` does not necessarily trigger a navigation, so the Python
+    // handler must be polled until it has received the initial request.
+    return retrieve(key, {poll: true})
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination - no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      makeRequestURL(key, ['httpCrossSite'], {mime: 'text/html'}),
+      {
+        test: t,
+        userActivated: false,
+        attributes: {}
+      }
+    );
+
+    // `induceRequest` does not necessarily trigger a navigation, so the Python
+    // handler must be polled until it has received the initial request.
+    return retrieve(key, {poll: true})
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination - no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-audio.https.sub.tentative.html b/fetch/metadata/generated/element-audio.https.sub.tentative.html
new file mode 100644
index 00000000000000..3a8dec4c57450f
--- /dev/null
+++ b/fetch/metadata/generated/element-audio.https.sub.tentative.html
@@ -0,0 +1,74 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-audio.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "audio" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, attributes) {
+    const audio = document.createElement('audio');
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      audio.setAttribute(name, value);
+    }
+
+    return new Promise((resolve) => {
+        audio.setAttribute('src', url);
+        audio.onload = audio.onerror = resolve;
+      });
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin']),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite']),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite']),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site, no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-audio.sub.tentative.html b/fetch/metadata/generated/element-audio.sub.tentative.html
new file mode 100644
index 00000000000000..a0618e3dadcf80
--- /dev/null
+++ b/fetch/metadata/generated/element-audio.sub.tentative.html
@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-audio.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "audio" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, attributes) {
+    const audio = document.createElement('audio');
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      audio.setAttribute(name, value);
+    }
+
+    return new Promise((resolve) => {
+        audio.setAttribute('src', url);
+        audio.onload = audio.onerror = resolve;
+      });
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpOrigin']),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpSameSite']),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpCrossSite']),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination, no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-embed.https.sub.tentative.html b/fetch/metadata/generated/element-embed.https.sub.tentative.html
new file mode 100644
index 00000000000000..6737ccac3d817d
--- /dev/null
+++ b/fetch/metadata/generated/element-embed.https.sub.tentative.html
@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-embed.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "embed" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  const params = {
+    body: `
+      <svg xmlns="http://www.w3.org/2000/svg" width="123" height="123">
+        <rect fill="lime" width="123" height="123"/>
+      </svg>
+    `,
+    mime: 'image/svg+xml'
+  };
+
+  function induceRequest(t, url) {
+    const embed = document.createElement('embed');
+    embed.setAttribute('src', url);
+    document.body.appendChild(embed);
+
+    t.add_cleanup(() => embed.remove());
+
+    return new Promise((resolve) => embed.addEventListener('load', resolve));
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpsOrigin'], params))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+      });
+  }, 'sec-fetch-frame-ancestors - Same origin');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpsCrossSite'], params))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+      });
+  }, 'sec-fetch-frame-ancestors - Cross-site');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpsSameSite'], params))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+      });
+  }, 'sec-fetch-frame-ancestors - Same site');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-embed.sub.tentative.html b/fetch/metadata/generated/element-embed.sub.tentative.html
new file mode 100644
index 00000000000000..bd8ed195f87500
--- /dev/null
+++ b/fetch/metadata/generated/element-embed.sub.tentative.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-embed.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "embed" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  const params = {
+    body: `
+      <svg xmlns="http://www.w3.org/2000/svg" width="123" height="123">
+        <rect fill="lime" width="123" height="123"/>
+      </svg>
+    `,
+    mime: 'image/svg+xml'
+  };
+
+  function induceRequest(t, url) {
+    const embed = document.createElement('embed');
+    embed.setAttribute('src', url);
+    document.body.appendChild(embed);
+
+    t.add_cleanup(() => embed.remove());
+
+    return new Promise((resolve) => embed.addEventListener('load', resolve));
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpOrigin'], params))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpSameSite'], params))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpCrossSite'], params))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-frame.https.sub.tentative.html b/fetch/metadata/generated/element-frame.https.sub.tentative.html
new file mode 100644
index 00000000000000..d692b48e44f679
--- /dev/null
+++ b/fetch/metadata/generated/element-frame.https.sub.tentative.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-frame.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "frame" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, test, userActivated) {
+    const frame = document.createElement('frame');
+
+    const setSrc = () => frame.setAttribute('src', url);
+
+    document.body.appendChild(frame);
+    test.add_cleanup(() => frame.remove());
+
+    return new Promise((resolve) => {
+       if (userActivated) {
+         test_driver.bless('enable user activation', setSrc);
+       } else {
+         setSrc();
+       }
+
+        frame.onload = frame.onerror = resolve;
+      });
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin'], {mime: 'text/html'}),
+        t,
+        false
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite'], {mime: 'text/html'}),
+        t,
+        false
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite'], {mime: 'text/html'}),
+        t,
+        false
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-frame.sub.tentative.html b/fetch/metadata/generated/element-frame.sub.tentative.html
new file mode 100644
index 00000000000000..ad17c9c4487618
--- /dev/null
+++ b/fetch/metadata/generated/element-frame.sub.tentative.html
@@ -0,0 +1,80 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-frame.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "frame" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, test, userActivated) {
+    const frame = document.createElement('frame');
+
+    const setSrc = () => frame.setAttribute('src', url);
+
+    document.body.appendChild(frame);
+    test.add_cleanup(() => frame.remove());
+
+    return new Promise((resolve) => {
+       if (userActivated) {
+         test_driver.bless('enable user activation', setSrc);
+       } else {
+         setSrc();
+       }
+
+        frame.onload = frame.onerror = resolve;
+      });
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpOrigin'], {mime: 'text/html'}),
+        t,
+        false
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpSameSite'], {mime: 'text/html'}),
+        t,
+        false
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpCrossSite'], {mime: 'text/html'}),
+        t,
+        false
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-iframe.https.sub.tentative.html b/fetch/metadata/generated/element-iframe.https.sub.tentative.html
new file mode 100644
index 00000000000000..61a8c2822adaf5
--- /dev/null
+++ b/fetch/metadata/generated/element-iframe.https.sub.tentative.html
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-iframe.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "frame" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, test, userActivated) {
+    const iframe = document.createElement('iframe');
+
+    const setSrc = () => iframe.setAttribute('src', url);
+
+    document.body.appendChild(iframe);
+    test.add_cleanup(() => iframe.remove());
+
+    return new Promise((resolve) => {
+       if (userActivated) {
+         test_driver.bless('enable user activation', setSrc);
+       } else {
+         setSrc();
+       }
+
+        iframe.onload = iframe.onerror = resolve;
+      });
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin'], {mime: 'text/html'}),
+        t,
+        false
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite'], {mime: 'text/html'}),
+        t,
+        false
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite'], {mime: 'text/html'}),
+        t,
+        false
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-iframe.sub.tentative.html b/fetch/metadata/generated/element-iframe.sub.tentative.html
new file mode 100644
index 00000000000000..bec0458dd1ffbe
--- /dev/null
+++ b/fetch/metadata/generated/element-iframe.sub.tentative.html
@@ -0,0 +1,80 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-iframe.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "frame" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, test, userActivated) {
+    const iframe = document.createElement('iframe');
+
+    const setSrc = () => iframe.setAttribute('src', url);
+
+    document.body.appendChild(iframe);
+    test.add_cleanup(() => iframe.remove());
+
+    return new Promise((resolve) => {
+       if (userActivated) {
+         test_driver.bless('enable user activation', setSrc);
+       } else {
+         setSrc();
+       }
+
+        iframe.onload = iframe.onerror = resolve;
+      });
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpOrigin'], {mime: 'text/html'}),
+        t,
+        false
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpSameSite'], {mime: 'text/html'}),
+        t,
+        false
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpCrossSite'], {mime: 'text/html'}),
+        t,
+        false
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-img-environment-change.https.sub.tentative.html b/fetch/metadata/generated/element-img-environment-change.https.sub.tentative.html
new file mode 100644
index 00000000000000..35e22a8ad6d1a2
--- /dev/null
+++ b/fetch/metadata/generated/element-img-environment-change.https.sub.tentative.html
@@ -0,0 +1,103 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-img-environment-change.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on image request triggered by change to environment</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  // The response to the request under test must describe a valid image
+  // resource in order for the `load` event to be fired.
+  const params = {
+    body: `
+      <svg xmlns="http://www.w3.org/2000/svg" width="123" height="123">
+        <rect fill="lime" width="123" height="123"/>
+      </svg>
+    `,
+    mime: 'image/svg+xml'
+  };
+
+  function induceRequest(t, url, attributes) {
+    const iframe = document.createElement('iframe');
+    iframe.style.width = '50px';
+    document.body.appendChild(iframe);
+    t.add_cleanup(() => iframe.remove());
+    iframe.contentDocument.open();
+    iframe.contentDocument.close();
+
+    const image = iframe.contentDocument.createElement('img');
+    for (const [ name, value ] of Object.entries(attributes)) {
+      image.setAttribute(name, value);
+    }
+    iframe.contentDocument.body.appendChild(image);
+
+    image.setAttribute('srcset', `${url} 100w, /media/1x1-green.png 1w`);
+    image.setAttribute('sizes', '(max-width: 100px) 1px, (min-width: 150px) 123px');
+
+    return new Promise((resolve) => {
+        image.onload = image.onerror = resolve;
+      })
+      .then(() => {
+
+        iframe.style.width = '200px';
+
+        return new Promise((resolve) => image.onload = resolve);
+      });
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpsOrigin'], params),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin, no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpsCrossSite'], params),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site, no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpsSameSite'], params),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site, no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-img-environment-change.sub.tentative.html b/fetch/metadata/generated/element-img-environment-change.sub.tentative.html
new file mode 100644
index 00000000000000..6bbda378576bcb
--- /dev/null
+++ b/fetch/metadata/generated/element-img-environment-change.sub.tentative.html
@@ -0,0 +1,100 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-img-environment-change.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on image request triggered by change to environment</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  // The response to the request under test must describe a valid image
+  // resource in order for the `load` event to be fired.
+  const params = {
+    body: `
+      <svg xmlns="http://www.w3.org/2000/svg" width="123" height="123">
+        <rect fill="lime" width="123" height="123"/>
+      </svg>
+    `,
+    mime: 'image/svg+xml'
+  };
+
+  function induceRequest(t, url, attributes) {
+    const iframe = document.createElement('iframe');
+    iframe.style.width = '50px';
+    document.body.appendChild(iframe);
+    t.add_cleanup(() => iframe.remove());
+    iframe.contentDocument.open();
+    iframe.contentDocument.close();
+
+    const image = iframe.contentDocument.createElement('img');
+    for (const [ name, value ] of Object.entries(attributes)) {
+      image.setAttribute(name, value);
+    }
+    iframe.contentDocument.body.appendChild(image);
+
+    image.setAttribute('srcset', `${url} 100w, /media/1x1-green.png 1w`);
+    image.setAttribute('sizes', '(max-width: 100px) 1px, (min-width: 150px) 123px');
+
+    return new Promise((resolve) => {
+        image.onload = image.onerror = resolve;
+      })
+      .then(() => {
+
+        iframe.style.width = '200px';
+
+        return new Promise((resolve) => image.onload = resolve);
+      });
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpOrigin'], params),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination, no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpSameSite'], params),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination, no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpCrossSite'], params),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination, no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-img.https.sub.tentative.html b/fetch/metadata/generated/element-img.https.sub.tentative.html
new file mode 100644
index 00000000000000..525ba34b2e4ad8
--- /dev/null
+++ b/fetch/metadata/generated/element-img.https.sub.tentative.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-img.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "img" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, sourceAttr, attributes) {
+    const image = document.createElement('img');
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      image.setAttribute(name, value);
+    }
+
+    return new Promise((resolve) => {
+        image.setAttribute(sourceAttr, url);
+        image.onload = image.onerror = resolve;
+      });
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin']),
+        'src',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - src - Same origin, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin']),
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - srcset - Same origin, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite']),
+        'src',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - src - Cross-site, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite']),
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - srcset - Cross-site, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite']),
+        'src',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - src - Same site, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite']),
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - srcset - Same site, no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-img.sub.tentative.html b/fetch/metadata/generated/element-img.sub.tentative.html
new file mode 100644
index 00000000000000..e59ff77135e1a8
--- /dev/null
+++ b/fetch/metadata/generated/element-img.sub.tentative.html
@@ -0,0 +1,116 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-img.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "img" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, sourceAttr, attributes) {
+    const image = document.createElement('img');
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      image.setAttribute(name, value);
+    }
+
+    return new Promise((resolve) => {
+        image.setAttribute(sourceAttr, url);
+        image.onload = image.onerror = resolve;
+      });
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpOrigin']),
+        'src',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - src - Not sent to non-trustworthy same-origin destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpOrigin']),
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - srcset - Not sent to non-trustworthy same-origin destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpSameSite']),
+        'src',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - src - Not sent to non-trustworthy same-site destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpSameSite']),
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - srcset - Not sent to non-trustworthy same-site destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpCrossSite']),
+        'src',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - src - Not sent to non-trustworthy cross-site destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpCrossSite']),
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - srcset - Not sent to non-trustworthy cross-site destination, no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-input-image.https.sub.tentative.html b/fetch/metadata/generated/element-input-image.https.sub.tentative.html
new file mode 100644
index 00000000000000..4150ed9cebc9d8
--- /dev/null
+++ b/fetch/metadata/generated/element-input-image.https.sub.tentative.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-input-image.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "input" element with type="button"</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, test) {
+    const input = document.createElement('input');
+    input.setAttribute('type', 'image');
+
+    document.body.appendChild(input);
+    test.add_cleanup(() => input.remove());
+
+    return new Promise((resolve) => {
+        input.onload = input.onerror = resolve;
+        input.setAttribute('src', url);
+      });
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(makeRequestURL(key, ['httpsOrigin']), t)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin, no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(makeRequestURL(key, ['httpsCrossSite']), t)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site, no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(makeRequestURL(key, ['httpsSameSite']), t)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site, no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-input-image.sub.tentative.html b/fetch/metadata/generated/element-input-image.sub.tentative.html
new file mode 100644
index 00000000000000..d5a71a2e567627
--- /dev/null
+++ b/fetch/metadata/generated/element-input-image.sub.tentative.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-input-image.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "input" element with type="button"</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, test) {
+    const input = document.createElement('input');
+    input.setAttribute('type', 'image');
+
+    document.body.appendChild(input);
+    test.add_cleanup(() => input.remove());
+
+    return new Promise((resolve) => {
+        input.onload = input.onerror = resolve;
+        input.setAttribute('src', url);
+      });
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(makeRequestURL(key, ['httpOrigin']), t)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination, no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(makeRequestURL(key, ['httpSameSite']), t)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination, no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(makeRequestURL(key, ['httpCrossSite']), t)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination, no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-link-icon.https.sub.tentative.html b/fetch/metadata/generated/element-link-icon.https.sub.tentative.html
new file mode 100644
index 00000000000000..2e9f394460ac51
--- /dev/null
+++ b/fetch/metadata/generated/element-link-icon.https.sub.tentative.html
@@ -0,0 +1,99 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-link-icon.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "link" element with rel="icon"</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  const params = {
+    body: `
+      <svg xmlns="http://www.w3.org/2000/svg" width="123" height="123">
+        <rect fill="lime" width="123" height="123"/>
+      </svg>
+    `,
+    mime: 'image/svg+xml'
+  };
+
+  /**
+   * The `link` element supports a `load` event. That event would reliably
+   * indicate that the browser had received the request. Multiple major
+   * browsers do not implement the event, however, so in order to promote the
+   * visibility of this test, a less efficient polling-based detection
+   * mechanism is used.
+   *
+   * https://bugzilla.mozilla.org/show_bug.cgi?id=1638188
+   * https://bugs.chromium.org/p/chromium/issues/detail?id=1083034
+   */
+  function induceRequest(t, url, attributes) {
+    const link = document.createElement('link');
+    link.setAttribute('rel', 'icon');
+    link.setAttribute('href', url);
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      link.setAttribute(name, value);
+    }
+
+    document.head.appendChild(link);
+    t.add_cleanup(() => link.remove());
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      t,
+      makeRequestURL(key, ['httpsOrigin'], params),
+      {}
+    );
+
+    return retrieve(key, {poll:true})
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+      });
+  }, 'sec-fetch-frame-ancestors - Same origin no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      t,
+      makeRequestURL(key, ['httpsCrossSite'], params),
+      {}
+    );
+
+    return retrieve(key, {poll:true})
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+      });
+  }, 'sec-fetch-frame-ancestors - Cross-site no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      t,
+      makeRequestURL(key, ['httpsSameSite'], params),
+      {}
+    );
+
+    return retrieve(key, {poll:true})
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+      });
+  }, 'sec-fetch-frame-ancestors - Same site no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-link-icon.sub.tentative.html b/fetch/metadata/generated/element-link-icon.sub.tentative.html
new file mode 100644
index 00000000000000..7d5cbc4d591d4c
--- /dev/null
+++ b/fetch/metadata/generated/element-link-icon.sub.tentative.html
@@ -0,0 +1,96 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-link-icon.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "link" element with rel="icon"</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  const params = {
+    body: `
+      <svg xmlns="http://www.w3.org/2000/svg" width="123" height="123">
+        <rect fill="lime" width="123" height="123"/>
+      </svg>
+    `,
+    mime: 'image/svg+xml'
+  };
+
+  /**
+   * The `link` element supports a `load` event. That event would reliably
+   * indicate that the browser had received the request. Multiple major
+   * browsers do not implement the event, however, so in order to promote the
+   * visibility of this test, a less efficient polling-based detection
+   * mechanism is used.
+   *
+   * https://bugzilla.mozilla.org/show_bug.cgi?id=1638188
+   * https://bugs.chromium.org/p/chromium/issues/detail?id=1083034
+   */
+  function induceRequest(t, url, attributes) {
+    const link = document.createElement('link');
+    link.setAttribute('rel', 'icon');
+    link.setAttribute('href', url);
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      link.setAttribute(name, value);
+    }
+
+    document.head.appendChild(link);
+    t.add_cleanup(() => link.remove());
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      t,
+      makeRequestURL(key, ['httpOrigin'], params),
+      {}
+    );
+
+    return retrieve(key, {poll:true})
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      t,
+      makeRequestURL(key, ['httpSameSite'], params),
+      {}
+    );
+
+    return retrieve(key, {poll:true})
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      t,
+      makeRequestURL(key, ['httpCrossSite'], params),
+      {}
+    );
+
+    return retrieve(key, {poll:true})
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-link-prefetch.https.optional.sub.tentative.html b/fetch/metadata/generated/element-link-prefetch.https.optional.sub.tentative.html
new file mode 100644
index 00000000000000..c07c0241d312ff
--- /dev/null
+++ b/fetch/metadata/generated/element-link-prefetch.https.optional.sub.tentative.html
@@ -0,0 +1,95 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-link-prefetch.optional.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "link" element with rel="prefetch"</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  /**
+   * The `link` element supports a `load` event. That event would reliably
+   * indicate that the browser had received the request. Multiple major
+   * browsers do not implement the event, however, so in order to promote the
+   * visibility of this test, a less efficient polling-based detection
+   * mechanism is used.
+   *
+   * https://bugzilla.mozilla.org/show_bug.cgi?id=1638188
+   * https://bugs.chromium.org/p/chromium/issues/detail?id=1083034
+   */
+  function induceRequest(t, url, attributes) {
+    const link = document.createElement('link');
+    link.setAttribute('rel', 'prefetch');
+    link.setAttribute('href', url);
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      link.setAttribute(name, value);
+    }
+
+    document.head.appendChild(link);
+    t.add_cleanup(() => link.remove());
+  }
+
+  setup(() => {
+    assert_implements_optional(document.createElement('link').relList.supports('prefetch'));
+  });
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      t,
+      makeRequestURL(key, ['httpsOrigin']),
+      {}
+    );
+
+    return retrieve(key, {poll:true})
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+      });
+  }, 'sec-fetch-frame-ancestors - Same origin no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      t,
+      makeRequestURL(key, ['httpsCrossSite']),
+      {}
+    );
+
+    return retrieve(key, {poll:true})
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+      });
+  }, 'sec-fetch-frame-ancestors - Cross-site no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      t,
+      makeRequestURL(key, ['httpsSameSite']),
+      {}
+    );
+
+    return retrieve(key, {poll:true})
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+      });
+  }, 'sec-fetch-frame-ancestors - Same site no attributes');
+  </script>
+  </body>
+</html>
+
diff --git a/fetch/metadata/generated/element-link-prefetch.optional.sub.tentative.html b/fetch/metadata/generated/element-link-prefetch.optional.sub.tentative.html
new file mode 100644
index 00000000000000..8caeb47aecf0d2
--- /dev/null
+++ b/fetch/metadata/generated/element-link-prefetch.optional.sub.tentative.html
@@ -0,0 +1,92 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-link-prefetch.optional.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "link" element with rel="prefetch"</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  /**
+   * The `link` element supports a `load` event. That event would reliably
+   * indicate that the browser had received the request. Multiple major
+   * browsers do not implement the event, however, so in order to promote the
+   * visibility of this test, a less efficient polling-based detection
+   * mechanism is used.
+   *
+   * https://bugzilla.mozilla.org/show_bug.cgi?id=1638188
+   * https://bugs.chromium.org/p/chromium/issues/detail?id=1083034
+   */
+  function induceRequest(t, url, attributes) {
+    const link = document.createElement('link');
+    link.setAttribute('rel', 'prefetch');
+    link.setAttribute('href', url);
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      link.setAttribute(name, value);
+    }
+
+    document.head.appendChild(link);
+    t.add_cleanup(() => link.remove());
+  }
+
+  setup(() => {
+    assert_implements_optional(document.createElement('link').relList.supports('prefetch'));
+  });
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      t,
+      makeRequestURL(key, ['httpOrigin']),
+      {}
+    );
+
+    return retrieve(key, {poll:true})
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      t,
+      makeRequestURL(key, ['httpSameSite']),
+      {}
+    );
+
+    return retrieve(key, {poll:true})
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    induceRequest(
+      t,
+      makeRequestURL(key, ['httpCrossSite']),
+      {}
+    );
+
+    return retrieve(key, {poll:true})
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination no attributes');
+  </script>
+  </body>
+</html>
+
diff --git a/fetch/metadata/generated/element-meta-refresh.https.optional.sub.tentative.html b/fetch/metadata/generated/element-meta-refresh.https.optional.sub.tentative.html
new file mode 100644
index 00000000000000..b4af576d85e1f4
--- /dev/null
+++ b/fetch/metadata/generated/element-meta-refresh.https.optional.sub.tentative.html
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-meta-refresh.optional.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "meta" element with http-equiv="refresh"</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, test) {
+    const win = window.open();
+    test.add_cleanup(() => win.close());
+
+    win.document.open();
+    win.document.write(
+      `<meta http-equiv="Refresh" content="0; URL=${url}">`
+    );
+    win.document.close();
+
+    return new Promise((resolve) => {
+      addEventListener('message', (event) => {
+          if (event.source === win) {
+            resolve();
+          }
+        });
+    });
+  }
+
+  const responseParams = {
+    mime: 'text/html',
+    body: `<script>opener.postMessage(0, '*')</${''}script>`
+  };
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin'], responseParams), t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite'], responseParams), t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite'], responseParams), t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-meta-refresh.optional.sub.tentative.html b/fetch/metadata/generated/element-meta-refresh.optional.sub.tentative.html
new file mode 100644
index 00000000000000..bf13517414f06b
--- /dev/null
+++ b/fetch/metadata/generated/element-meta-refresh.optional.sub.tentative.html
@@ -0,0 +1,79 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-meta-refresh.optional.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "meta" element with http-equiv="refresh"</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, test) {
+    const win = window.open();
+    test.add_cleanup(() => win.close());
+
+    win.document.open();
+    win.document.write(
+      `<meta http-equiv="Refresh" content="0; URL=${url}">`
+    );
+    win.document.close();
+
+    return new Promise((resolve) => {
+      addEventListener('message', (event) => {
+          if (event.source === win) {
+            resolve();
+          }
+        });
+    });
+  }
+
+  const responseParams = {
+    mime: 'text/html',
+    body: `<script>opener.postMessage(0, '*')</${''}script>`
+  };
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpOrigin'], responseParams), t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpSameSite'], responseParams), t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpCrossSite'], responseParams), t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-picture.https.sub.tentative.html b/fetch/metadata/generated/element-picture.https.sub.tentative.html
new file mode 100644
index 00000000000000..8290e7987e8387
--- /dev/null
+++ b/fetch/metadata/generated/element-picture.https.sub.tentative.html
@@ -0,0 +1,184 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-picture.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "picture" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, sourceEl, sourceAttr, attributes) {
+    const picture = document.createElement('picture');
+    const els = {
+      img: document.createElement('img'),
+      source: document.createElement('source')
+    };
+    picture.appendChild(els.source);
+    picture.appendChild(els.img);
+    document.body.appendChild(picture);
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      els.img.setAttribute(name, value);
+    }
+
+    return new Promise((resolve) => {
+        els[sourceEl].setAttribute(sourceAttr, url);
+        els.img.onload = els.img.onerror = resolve;
+      });
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin']),
+        'img',
+        'src',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - img[src] - Same origin, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin']),
+        'img',
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - img[srcset] - Same origin, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin']),
+        'source',
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - source[srcset] - Same origin, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite']),
+        'img',
+        'src',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - img[src] - Cross-site, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite']),
+        'img',
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - img[srcset] - Cross-site, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite']),
+        'source',
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - source[srcset] - Cross-site, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite']),
+        'img',
+        'src',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - img[src] - Same site, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite']),
+        'img',
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - img[srcset] - Same site, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite']),
+        'source',
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - source[srcset] - Same site, no attributes');
+  </script>
+  </body>
+</html>
+
diff --git a/fetch/metadata/generated/element-picture.sub.tentative.html b/fetch/metadata/generated/element-picture.sub.tentative.html
new file mode 100644
index 00000000000000..b1228c84601ca8
--- /dev/null
+++ b/fetch/metadata/generated/element-picture.sub.tentative.html
@@ -0,0 +1,175 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-picture.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "picture" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, sourceEl, sourceAttr, attributes) {
+    const picture = document.createElement('picture');
+    const els = {
+      img: document.createElement('img'),
+      source: document.createElement('source')
+    };
+    picture.appendChild(els.source);
+    picture.appendChild(els.img);
+    document.body.appendChild(picture);
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      els.img.setAttribute(name, value);
+    }
+
+    return new Promise((resolve) => {
+        els[sourceEl].setAttribute(sourceAttr, url);
+        els.img.onload = els.img.onerror = resolve;
+      });
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpOrigin']),
+        'img',
+        'src',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - img[src] - Not sent to non-trustworthy same-origin destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpOrigin']),
+        'img',
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - img[srcset] - Not sent to non-trustworthy same-origin destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpOrigin']),
+        'source',
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - source[srcset] - Not sent to non-trustworthy same-origin destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpSameSite']),
+        'img',
+        'src',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - img[src] - Not sent to non-trustworthy same-site destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpSameSite']),
+        'img',
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - img[srcset] - Not sent to non-trustworthy same-site destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpSameSite']),
+        'source',
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - source[srcset] - Not sent to non-trustworthy same-site destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpCrossSite']),
+        'img',
+        'src',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - img[src] - Not sent to non-trustworthy cross-site destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpCrossSite']),
+        'img',
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - img[srcset] - Not sent to non-trustworthy cross-site destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpCrossSite']),
+        'source',
+        'srcset',
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - source[srcset] - Not sent to non-trustworthy cross-site destination, no attributes');
+  </script>
+  </body>
+</html>
+
diff --git a/fetch/metadata/generated/element-script.https.sub.tentative.html b/fetch/metadata/generated/element-script.https.sub.tentative.html
new file mode 100644
index 00000000000000..9587627c842d93
--- /dev/null
+++ b/fetch/metadata/generated/element-script.https.sub.tentative.html
@@ -0,0 +1,130 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-script.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "script" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, attributes) {
+    const script = document.createElement('script');
+    script.setAttribute('src', url);
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      script.setAttribute(name, value);
+    }
+
+    return new Promise((resolve, reject) => {
+        script.onload = resolve;
+        script.onerror = () => reject('Failed to load script');
+        document.body.appendChild(script);
+      })
+      .then(() => script.remove());
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpsOrigin'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url,
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpsOrigin'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url,
+        {"type": "module"}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin, attributes: type=module');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpsCrossSite'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url,
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpsCrossSite'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url,
+        {"type": "module"}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site, attributes: type=module');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpsSameSite'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url,
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpsSameSite'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url,
+        {"type": "module"}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site, attributes: type=module');
+  </script>
+</html>
diff --git a/fetch/metadata/generated/element-script.sub.tentative.html b/fetch/metadata/generated/element-script.sub.tentative.html
new file mode 100644
index 00000000000000..053b962609ffeb
--- /dev/null
+++ b/fetch/metadata/generated/element-script.sub.tentative.html
@@ -0,0 +1,124 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-script.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "script" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, attributes) {
+    const script = document.createElement('script');
+    script.setAttribute('src', url);
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      script.setAttribute(name, value);
+    }
+
+    return new Promise((resolve, reject) => {
+        script.onload = resolve;
+        script.onerror = () => reject('Failed to load script');
+        document.body.appendChild(script);
+      })
+      .then(() => script.remove());
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpOrigin'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url,
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpOrigin'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url,
+        {"type": "module"}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination, attributes: type=module');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpSameSite'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url,
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpSameSite'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url,
+        {"type": "module"}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination, attributes: type=module');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpCrossSite'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url,
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpCrossSite'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url,
+        {"type": "module"}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination, attributes: type=module');
+  </script>
+</html>
diff --git a/fetch/metadata/generated/element-video-poster.https.sub.tentative.html b/fetch/metadata/generated/element-video-poster.https.sub.tentative.html
new file mode 100644
index 00000000000000..2df720b2bdfe19
--- /dev/null
+++ b/fetch/metadata/generated/element-video-poster.https.sub.tentative.html
@@ -0,0 +1,79 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-video-poster.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "video" element "poster"</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  const params = {
+    body: `
+      <svg xmlns="http://www.w3.org/2000/svg" width="123" height="123">
+        <rect fill="lime" width="123" height="123"/>
+      </svg>
+    `,
+    mime: 'image/svg+xml'
+  };
+
+  function induceRequest(t, url) {
+    var video = document.createElement('video');
+    video.setAttribute('poster', url);
+    document.body.appendChild(video);
+
+    const poll = () => {
+      if (video.clientWidth === 123) {
+        return;
+      }
+
+      return new Promise((resolve) => t.step_timeout(resolve, 0))
+        .then(poll);
+    };
+    t.add_cleanup(() => video.remove());
+
+    return poll();
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpsOrigin'], params))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+      });
+  }, 'sec-fetch-frame-ancestors - Same origin');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpsCrossSite'], params))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+      });
+  }, 'sec-fetch-frame-ancestors - Cross-site');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpsSameSite'], params))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+      });
+  }, 'sec-fetch-frame-ancestors - Same site');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-video-poster.sub.tentative.html b/fetch/metadata/generated/element-video-poster.sub.tentative.html
new file mode 100644
index 00000000000000..4c448b0f0da3a3
--- /dev/null
+++ b/fetch/metadata/generated/element-video-poster.sub.tentative.html
@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-video-poster.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "video" element "poster"</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  const params = {
+    body: `
+      <svg xmlns="http://www.w3.org/2000/svg" width="123" height="123">
+        <rect fill="lime" width="123" height="123"/>
+      </svg>
+    `,
+    mime: 'image/svg+xml'
+  };
+
+  function induceRequest(t, url) {
+    var video = document.createElement('video');
+    video.setAttribute('poster', url);
+    document.body.appendChild(video);
+
+    const poll = () => {
+      if (video.clientWidth === 123) {
+        return;
+      }
+
+      return new Promise((resolve) => t.step_timeout(resolve, 0))
+        .then(poll);
+    };
+    t.add_cleanup(() => video.remove());
+
+    return poll();
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpOrigin'], params))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpSameSite'], params))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(t, makeRequestURL(key, ['httpCrossSite'], params))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-video.https.sub.tentative.html b/fetch/metadata/generated/element-video.https.sub.tentative.html
new file mode 100644
index 00000000000000..4add9a53261452
--- /dev/null
+++ b/fetch/metadata/generated/element-video.https.sub.tentative.html
@@ -0,0 +1,74 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-video.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "video" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, attributes) {
+    const video = document.createElement('video');
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      video.setAttribute(name, value);
+    }
+
+    return new Promise((resolve) => {
+        video.setAttribute('src', url);
+        video.onload = video.onerror = resolve;
+      });
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin']),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite']),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite']),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site, no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/element-video.sub.tentative.html b/fetch/metadata/generated/element-video.sub.tentative.html
new file mode 100644
index 00000000000000..d85c486cd2dae8
--- /dev/null
+++ b/fetch/metadata/generated/element-video.sub.tentative.html
@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/element-video.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTML "video" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, attributes) {
+    const video = document.createElement('video');
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      video.setAttribute(name, value);
+    }
+
+    return new Promise((resolve) => {
+        video.setAttribute('src', url);
+        video.onload = video.onerror = resolve;
+      });
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpOrigin']),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpSameSite']),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination, no attributes');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpCrossSite']),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination, no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/fetch-via-serviceworker.https.sub.tentative.html b/fetch/metadata/generated/fetch-via-serviceworker.https.sub.tentative.html
new file mode 100644
index 00000000000000..2541722d7dcf2a
--- /dev/null
+++ b/fetch/metadata/generated/fetch-via-serviceworker.https.sub.tentative.html
@@ -0,0 +1,140 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/fetch-via-serviceworker.https.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request using the "fetch" API and passing through a Serive Worker</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  const scripts = {
+    fallback: '/fetch/metadata/resources/fetch-via-serviceworker--fallback--sw.js',
+    respondWith: '/fetch/metadata/resources/fetch-via-serviceworker--respondWith--sw.js'
+  };
+
+  function induceRequest(t, url, init, script) {
+    const SCOPE = '/fetch/metadata/resources/fetch-via-serviceworker-frame.html';
+    const SCRIPT = scripts[script];
+
+    return service_worker_unregister_and_register(t, SCRIPT, SCOPE)
+      .then((registration) => {
+        t.add_cleanup(() => registration.unregister());
+
+        return wait_for_state(t, registration.installing, 'activated');
+      })
+      .then(() => with_iframe(SCOPE))
+      .then((frame) => {
+        t.add_cleanup(() => frame.remove());
+
+        return frame.contentWindow.fetch(url, init);
+      });
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpsOrigin']),
+        {"mode": "no-cors"},
+        'respondWith'
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin, init: mode=no-cors - respondWith');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpsOrigin']),
+        {"mode": "no-cors"},
+        'fallback'
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin, init: mode=no-cors - fallback');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpsCrossSite']),
+        {"mode": "no-cors"},
+        'respondWith'
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site, init: mode=no-cors - respondWith');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpsCrossSite']),
+        {"mode": "no-cors"},
+        'fallback'
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site, init: mode=no-cors - fallback');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpsSameSite']),
+        {"mode": "no-cors"},
+        'respondWith'
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site, init: mode=no-cors - respondWith');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpsSameSite']),
+        {"mode": "no-cors"},
+        'fallback'
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site, init: mode=no-cors - fallback');
+
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/fetch.https.sub.tentative.html b/fetch/metadata/generated/fetch.https.sub.tentative.html
new file mode 100644
index 00000000000000..524a9e41cd1038
--- /dev/null
+++ b/fetch/metadata/generated/fetch.https.sub.tentative.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/fetch.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request using the "fetch" API</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, init) {
+    return fetch(url, init);
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin']),
+        {"mode": "no-cors"}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin, init: mode=no-cors');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite']),
+        {"mode": "no-cors"}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site, init: mode=no-cors');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite']),
+        {"mode": "no-cors"}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site, init: mode=no-cors');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/fetch.sub.tentative.html b/fetch/metadata/generated/fetch.sub.tentative.html
new file mode 100644
index 00000000000000..9953b56c88daa6
--- /dev/null
+++ b/fetch/metadata/generated/fetch.sub.tentative.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/fetch.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request using the "fetch" API</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, init) {
+    return fetch(url, init);
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpOrigin']),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination, no init');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpSameSite']),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination, no init');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpCrossSite']),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination, no init');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/form-submission.https.sub.tentative.html b/fetch/metadata/generated/form-submission.https.sub.tentative.html
new file mode 100644
index 00000000000000..8238bba288bf45
--- /dev/null
+++ b/fetch/metadata/generated/form-submission.https.sub.tentative.html
@@ -0,0 +1,138 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/form-submission.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <meta name="timeout" content="long">
+  <title>HTTP headers on request for HTML form navigation</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(method, url, userActivated) {
+    const windowName = String(Math.random());
+    const form = document.createElement('form');
+    const submit = document.createElement('input');
+    submit.setAttribute('type', 'submit');
+    form.appendChild(submit);
+    const win = open('about:blank', windowName);
+    form.setAttribute('method', method);
+    form.setAttribute('action', url);
+    form.setAttribute('target', windowName);
+    document.body.appendChild(form);
+
+    // Query parameters must be expressed as form values so that they are sent
+    // with the submission of forms whose method is POST.
+    Array.from(new URL(url, location.origin).searchParams)
+      .forEach(([name, value]) => {
+        const input = document.createElement('input');
+        input.setAttribute('type', 'hidden');
+        input.setAttribute('name', name);
+        input.setAttribute('value', value);
+        form.appendChild(input);
+      });
+
+    return new Promise((resolve) => {
+        addEventListener('message', function(event) {
+          if (event.source === win) {
+            resolve();
+          }
+        });
+
+        if (userActivated) {
+          test_driver.click(submit);
+        } else {
+          submit.click();
+        }
+      })
+      .then(() => {
+        form.remove();
+        win.close();
+      });
+  }
+  const responseParams = {
+    mime: 'text/html',
+    body: `<script>opener.postMessage('done', '*')</${''}script>`
+  };
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsOrigin'], responseParams);
+    const userActivated = false;
+    return induceRequest('GET', url, userActivated)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin - GET');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsOrigin'], responseParams);
+    const userActivated = false;
+    return induceRequest('POST', url, userActivated)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin - POST');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsCrossSite'], responseParams);
+    const userActivated = false;
+    return induceRequest('GET', url, userActivated)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site - GET');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsCrossSite'], responseParams);
+    const userActivated = false;
+    return induceRequest('POST', url, userActivated)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site - POST');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsSameSite'], responseParams);
+    const userActivated = false;
+    return induceRequest('GET', url, userActivated)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site - GET');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsSameSite'], responseParams);
+    const userActivated = false;
+    return induceRequest('POST', url, userActivated)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site - POST');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/form-submission.sub.tentative.html b/fetch/metadata/generated/form-submission.sub.tentative.html
new file mode 100644
index 00000000000000..91fd781454d51f
--- /dev/null
+++ b/fetch/metadata/generated/form-submission.sub.tentative.html
@@ -0,0 +1,132 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/form-submission.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <meta name="timeout" content="long">
+  <title>HTTP headers on request for HTML form navigation</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(method, url, userActivated) {
+    const windowName = String(Math.random());
+    const form = document.createElement('form');
+    const submit = document.createElement('input');
+    submit.setAttribute('type', 'submit');
+    form.appendChild(submit);
+    const win = open('about:blank', windowName);
+    form.setAttribute('method', method);
+    form.setAttribute('action', url);
+    form.setAttribute('target', windowName);
+    document.body.appendChild(form);
+
+    // Query parameters must be expressed as form values so that they are sent
+    // with the submission of forms whose method is POST.
+    Array.from(new URL(url, location.origin).searchParams)
+      .forEach(([name, value]) => {
+        const input = document.createElement('input');
+        input.setAttribute('type', 'hidden');
+        input.setAttribute('name', name);
+        input.setAttribute('value', value);
+        form.appendChild(input);
+      });
+
+    return new Promise((resolve) => {
+        addEventListener('message', function(event) {
+          if (event.source === win) {
+            resolve();
+          }
+        });
+
+        if (userActivated) {
+          test_driver.click(submit);
+        } else {
+          submit.click();
+        }
+      })
+      .then(() => {
+        form.remove();
+        win.close();
+      });
+  }
+  const responseParams = {
+    mime: 'text/html',
+    body: `<script>opener.postMessage('done', '*')</${''}script>`
+  };
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpOrigin'], responseParams);
+    const userActivated = false;
+    return induceRequest('GET', url, userActivated)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination - GET');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpOrigin'], responseParams);
+    const userActivated = false;
+    return induceRequest('POST', url, userActivated)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination - POST');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpSameSite'], responseParams);
+    const userActivated = false;
+    return induceRequest('GET', url, userActivated)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination - GET');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpSameSite'], responseParams);
+    const userActivated = false;
+    return induceRequest('POST', url, userActivated)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination - POST');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
+    const userActivated = false;
+    return induceRequest('GET', url, userActivated)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination - GET');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
+    const userActivated = false;
+    return induceRequest('POST', url, userActivated)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination - POST');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/header-link.https.sub.tentative.html b/fetch/metadata/generated/header-link.https.sub.tentative.html
index 307c37fbf77c9a..d1a2772c9ebce5 100644
--- a/fetch/metadata/generated/header-link.https.sub.tentative.html
+++ b/fetch/metadata/generated/header-link.https.sub.tentative.html
@@ -32,6 +32,96 @@
       });
   }
 
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin'], {mime: 'text/html'}),
+        'icon',
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors rel=icon - Same origin');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin'], {mime: 'text/html'}),
+        'stylesheet',
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors rel=stylesheet - Same origin');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite'], {mime: 'text/html'}),
+        'icon',
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors rel=icon - Cross-site');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite'], {mime: 'text/html'}),
+        'stylesheet',
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors rel=stylesheet - Cross-site');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite'], {mime: 'text/html'}),
+        'icon',
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors rel=icon - Same site');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite'], {mime: 'text/html'}),
+        'stylesheet',
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors rel=stylesheet - Same site');
+
   promise_test((t) => {
     const key = '{{uuid()}}';
 
diff --git a/fetch/metadata/generated/header-link.sub.tentative.html b/fetch/metadata/generated/header-link.sub.tentative.html
new file mode 100644
index 00000000000000..897097460b9449
--- /dev/null
+++ b/fetch/metadata/generated/header-link.sub.tentative.html
@@ -0,0 +1,120 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/header-link.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTTP "Link" header</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, rel, test) {
+    const iframe = document.createElement('iframe');
+
+    iframe.setAttribute(
+      'src',
+      '/fetch/metadata/resources/header-link.py' +
+        `?location=${encodeURIComponent(url)}&rel=${rel}`
+    );
+
+    document.body.appendChild(iframe);
+    test.add_cleanup(() => iframe.remove());
+
+    return new Promise((resolve) => {
+        iframe.onload = iframe.onerror = resolve;
+      });
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpOrigin'], {mime: 'text/html'}),
+        'icon',
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors rel=icon - Not sent to non-trustworthy same-origin destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpOrigin'], {mime: 'text/html'}),
+        'stylesheet',
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors rel=stylesheet - Not sent to non-trustworthy same-origin destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpSameSite'], {mime: 'text/html'}),
+        'icon',
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors rel=icon - Not sent to non-trustworthy same-site destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpSameSite'], {mime: 'text/html'}),
+        'stylesheet',
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors rel=stylesheet - Not sent to non-trustworthy same-site destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpCrossSite'], {mime: 'text/html'}),
+        'icon',
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors rel=icon - Not sent to non-trustworthy cross-site destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpCrossSite'], {mime: 'text/html'}),
+        'stylesheet',
+        t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors rel=stylesheet - Not sent to non-trustworthy cross-site destination');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/header-refresh.https.optional.sub.tentative.html b/fetch/metadata/generated/header-refresh.https.optional.sub.tentative.html
new file mode 100644
index 00000000000000..2313162d92c42e
--- /dev/null
+++ b/fetch/metadata/generated/header-refresh.https.optional.sub.tentative.html
@@ -0,0 +1,78 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/header-refresh.optional.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTTP "Refresh" header</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, test) {
+    const win = window.open();
+    test.add_cleanup(() => win.close());
+
+    win.location = `/common/refresh.py?location=${encodeURIComponent(url)}`
+
+    return new Promise((resolve) => {
+      addEventListener('message', (event) => {
+          if (event.source === win) {
+            resolve();
+          }
+        });
+    });
+  }
+
+  const responseParams = {
+    mime: 'text/html',
+    body: `<script>opener.postMessage(0, '*')</${''}script>`
+  };
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsOrigin'], responseParams), t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsCrossSite'], responseParams), t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpsSameSite'], responseParams), t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/header-refresh.optional.sub.tentative.html b/fetch/metadata/generated/header-refresh.optional.sub.tentative.html
new file mode 100644
index 00000000000000..8505d77bd5ec04
--- /dev/null
+++ b/fetch/metadata/generated/header-refresh.optional.sub.tentative.html
@@ -0,0 +1,75 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/header-refresh.optional.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for HTTP "Refresh" header</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, test) {
+    const win = window.open();
+    test.add_cleanup(() => win.close());
+
+    win.location = `/common/refresh.py?location=${encodeURIComponent(url)}`
+
+    return new Promise((resolve) => {
+      addEventListener('message', (event) => {
+          if (event.source === win) {
+            resolve();
+          }
+        });
+    });
+  }
+
+  const responseParams = {
+    mime: 'text/html',
+    body: `<script>opener.postMessage(0, '*')</${''}script>`
+  };
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpOrigin'], responseParams), t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpSameSite'], responseParams), t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(key, ['httpCrossSite'], responseParams), t
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/script-module-import-dynamic.https.sub.tentative.html b/fetch/metadata/generated/script-module-import-dynamic.https.sub.tentative.html
new file mode 100644
index 00000000000000..25d39da2b4d0d6
--- /dev/null
+++ b/fetch/metadata/generated/script-module-import-dynamic.https.sub.tentative.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/script-module-import-dynamic.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for dynamic ECMAScript module import</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <script type="module">
+  'use strict';
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpsOrigin'], { mime: 'application/javascript' }
+    );
+
+    return import(url)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpsCrossSite'], { mime: 'application/javascript' }
+    );
+
+    return import(url)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpsSameSite'], { mime: 'application/javascript' }
+    );
+
+    return import(url)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site');
+  </script>
+</html>
diff --git a/fetch/metadata/generated/script-module-import-dynamic.sub.tentative.html b/fetch/metadata/generated/script-module-import-dynamic.sub.tentative.html
new file mode 100644
index 00000000000000..d6d675141db18c
--- /dev/null
+++ b/fetch/metadata/generated/script-module-import-dynamic.sub.tentative.html
@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/script-module-import-dynamic.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for dynamic ECMAScript module import</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <script type="module">
+  'use strict';
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpOrigin'], { mime: 'application/javascript' }
+    );
+
+    return import(url)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpSameSite'], { mime: 'application/javascript' }
+    );
+
+    return import(url)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpCrossSite'], { mime: 'application/javascript' }
+    );
+
+    return import(url)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+  </script>
+</html>
diff --git a/fetch/metadata/generated/script-module-import-static.https.sub.tentative.html b/fetch/metadata/generated/script-module-import-static.https.sub.tentative.html
new file mode 100644
index 00000000000000..82fc0ecf2f8d5b
--- /dev/null
+++ b/fetch/metadata/generated/script-module-import-static.https.sub.tentative.html
@@ -0,0 +1,79 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/script-module-import-static.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for static ECMAScript module import</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url) {
+    const script = document.createElement('script');
+    script.setAttribute('type', 'module');
+    script.setAttribute(
+      'src',
+      '/fetch/metadata/resources/es-module.sub.js?moduleId=' + encodeURIComponent(url)
+    );
+
+    return new Promise((resolve, reject) => {
+        script.onload = resolve;
+        script.onerror = () => reject('Failed to load script');
+        document.body.appendChild(script);
+      })
+      .then(() => script.remove());
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(
+          key, ['httpsOrigin'], { mime: 'application/javascript' }
+        )
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(
+          key, ['httpsCrossSite'], { mime: 'application/javascript' }
+        )
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(
+          key, ['httpsSameSite'], { mime: 'application/javascript' }
+        )
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site');
+  </script>
+</html>
diff --git a/fetch/metadata/generated/script-module-import-static.sub.tentative.html b/fetch/metadata/generated/script-module-import-static.sub.tentative.html
new file mode 100644
index 00000000000000..5fa72902e05acc
--- /dev/null
+++ b/fetch/metadata/generated/script-module-import-static.sub.tentative.html
@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/script-module-import-static.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for static ECMAScript module import</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url) {
+    const script = document.createElement('script');
+    script.setAttribute('type', 'module');
+    script.setAttribute(
+      'src',
+      '/fetch/metadata/resources/es-module.sub.js?moduleId=' + encodeURIComponent(url)
+    );
+
+    return new Promise((resolve, reject) => {
+        script.onload = resolve;
+        script.onerror = () => reject('Failed to load script');
+        document.body.appendChild(script);
+      })
+      .then(() => script.remove());
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(
+          key, ['httpOrigin'], { mime: 'application/javascript' }
+        )
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(
+          key, ['httpSameSite'], { mime: 'application/javascript' }
+        )
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        makeRequestURL(
+          key, ['httpCrossSite'], { mime: 'application/javascript' }
+        )
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+  </script>
+</html>
diff --git a/fetch/metadata/generated/serviceworker.https.sub.tentative.html b/fetch/metadata/generated/serviceworker.https.sub.tentative.html
new file mode 100644
index 00000000000000..dfe91233703917
--- /dev/null
+++ b/fetch/metadata/generated/serviceworker.https.sub.tentative.html
@@ -0,0 +1,60 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/serviceworker.https.sub.html
+-->
+<!DOCTYPE html>
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for Service Workers</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(t, url, options, event, clear) {
+    // Register a service worker and check the request header.
+    return navigator.serviceWorker.register(url, options)
+      .then((registration) => {
+        t.add_cleanup(() => registration.unregister());
+        if (event === 'register') {
+          return;
+        }
+        return clear().then(() => registration.update());
+      });
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpsOrigin'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(t, url, {}, 'register')
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin, no options - registration');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpsOrigin'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(t, url, {}, 'update', () => retrieve(key))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin, no options - updating');
+  </script>
+</body>
+</html>
diff --git a/fetch/metadata/generated/svg-image.https.sub.tentative.html b/fetch/metadata/generated/svg-image.https.sub.tentative.html
new file mode 100644
index 00000000000000..cbe2f4e2819d22
--- /dev/null
+++ b/fetch/metadata/generated/svg-image.https.sub.tentative.html
@@ -0,0 +1,97 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/svg-image.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for SVG "image" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  const params = {
+    body: `
+      <svg xmlns="http://www.w3.org/2000/svg" width="123" height="123">
+        <rect fill="lime" width="123" height="123"/>
+      </svg>
+    `,
+    mime: 'image/svg+xml'
+  };
+
+  function induceRequest(t, url, attributes) {
+    const svg = document.createElementNS("http://www.w3.org/2000/svg", "svg");
+    svg.setAttributeNS(
+      "http://www.w3.org/2000/xmlns/",
+      "xmlns:xlink",
+      "http://www.w3.org/1999/xlink"
+    );
+    const image = document.createElementNS("http://www.w3.org/2000/svg", "image");
+    image.setAttribute("href", url);
+    svg.appendChild(image);
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      image.setAttribute(name, value);
+    }
+
+    document.body.appendChild(svg);
+    t.add_cleanup(() => svg.remove());
+
+    return new Promise((resolve, reject) => {
+      image.onload = resolve;
+      image.onerror = reject;
+    });
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpsOrigin'], params),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+      });
+  }, 'sec-fetch-frame-ancestors - Same origin no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpsCrossSite'], params),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+      });
+  }, 'sec-fetch-frame-ancestors - Cross-site no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpsSameSite'], params),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+      });
+  }, 'sec-fetch-frame-ancestors - Same site no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/svg-image.sub.tentative.html b/fetch/metadata/generated/svg-image.sub.tentative.html
new file mode 100644
index 00000000000000..c5c8a488d221a3
--- /dev/null
+++ b/fetch/metadata/generated/svg-image.sub.tentative.html
@@ -0,0 +1,94 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/svg-image.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for SVG "image" element source</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  const params = {
+    body: `
+      <svg xmlns="http://www.w3.org/2000/svg" width="123" height="123">
+        <rect fill="lime" width="123" height="123"/>
+      </svg>
+    `,
+    mime: 'image/svg+xml'
+  };
+
+  function induceRequest(t, url, attributes) {
+    const svg = document.createElementNS("http://www.w3.org/2000/svg", "svg");
+    svg.setAttributeNS(
+      "http://www.w3.org/2000/xmlns/",
+      "xmlns:xlink",
+      "http://www.w3.org/1999/xlink"
+    );
+    const image = document.createElementNS("http://www.w3.org/2000/svg", "image");
+    image.setAttribute("href", url);
+    svg.appendChild(image);
+
+    for (const [ name, value ] of Object.entries(attributes)) {
+      image.setAttribute(name, value);
+    }
+
+    document.body.appendChild(svg);
+    t.add_cleanup(() => svg.remove());
+
+    return new Promise((resolve, reject) => {
+      image.onload = resolve;
+      image.onerror = reject;
+    });
+  }
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpOrigin'], params),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpSameSite'], params),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination no attributes');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+
+    return induceRequest(
+        t,
+        makeRequestURL(key, ['httpCrossSite'], params),
+        {}
+      )
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+      });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination no attributes');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/window-history.https.sub.tentative.html b/fetch/metadata/generated/window-history.https.sub.tentative.html
new file mode 100644
index 00000000000000..147eb080467ba1
--- /dev/null
+++ b/fetch/metadata/generated/window-history.https.sub.tentative.html
@@ -0,0 +1,167 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/window-history.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for navigation via the HTML History API</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  const whenDone = (win) => {
+    return new Promise((resolve) => {
+      addEventListener('message', function handle(event) {
+        if (event.source === win) {
+          resolve();
+          removeEventListener('message', handle);
+        }
+      });
+    })
+  };
+
+  /**
+   * Prime the UA's session history such that the location of the request is
+   * immediately behind the current entry. Because the location may not be
+   * same-origin with the current browsing context, this must be done via a
+   * true navigation and not, e.g. the `history.pushState` API. The initial
+   * navigation will alter the WPT server's internal state; in order to avoid
+   * false positives, clear that state prior to initiating the second
+   * navigation via `history.back`.
+   */
+  function induceBackRequest(url, test, clear) {
+    const win = window.open(url);
+
+    test.add_cleanup(() => win.close());
+
+    return whenDone(win)
+      .then(clear)
+      .then(() => win.history.back())
+      .then(() => whenDone(win));
+  }
+
+  /**
+   * Prime the UA's session history such that the location of the request is
+   * immediately ahead of the current entry. Because the location may not be
+   * same-origin with the current browsing context, this must be done via a
+   * true navigation and not, e.g. the `history.pushState` API. The initial
+   * navigation will alter the WPT server's internal state; in order to avoid
+   * false positives, clear that state prior to initiating the second
+   * navigation via `history.forward`.
+   */
+  function induceForwardRequest(url, test, clear) {
+    const win = window.open(messageOpenerUrl);
+
+    test.add_cleanup(() => win.close());
+
+    return whenDone(win)
+      .then(() => win.location = url)
+      .then(() => whenDone(win))
+      .then(clear)
+      .then(() => win.history.go(-2))
+      .then(() => whenDone(win))
+      .then(() => win.history.forward())
+      .then(() => whenDone(win));
+  }
+
+  const messageOpenerUrl = new URL(
+    '/fetch/metadata/resources/message-opener.html', location
+  );
+  // For these tests to function, replacement must *not* be enabled during
+  // navigation. Assignment must therefore take place after the document has
+  // completely loaded [1]. This event is not directly observable, but it is
+  // scheduled as a task immediately following the global object's `load`
+  // event [2]. By queuing a task during the dispatch of the `load` event,
+  // navigation can be consistently triggered without replacement.
+  //
+  // [1] https://html.spec.whatwg.org/multipage/history.html#location-object-setter-navigate
+  // [2] https://html.spec.whatwg.org/multipage/parsing.html#the-end
+  const responseParams = {
+    mime: 'text/html',
+    body: `<script>
+      window.addEventListener('load', () => {
+        set`+`Timeout(() => location.assign('${messageOpenerUrl}'));
+      });
+    <`+`/script>`
+  };
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsOrigin'], responseParams);
+
+    return induceBackRequest(url, t, () => retrieve(key))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin - history.back');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsOrigin'], responseParams);
+
+    return induceForwardRequest(url, t, () => retrieve(key))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin - history.forward');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsCrossSite'], responseParams);
+
+    return induceBackRequest(url, t, () => retrieve(key))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site - history.back');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsCrossSite'], responseParams);
+
+    return induceForwardRequest(url, t, () => retrieve(key))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site - history.forward');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsSameSite'], responseParams);
+
+    return induceBackRequest(url, t, () => retrieve(key))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site - history.back');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsSameSite'], responseParams);
+
+    return induceForwardRequest(url, t, () => retrieve(key))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site - history.forward');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/window-history.sub.tentative.html b/fetch/metadata/generated/window-history.sub.tentative.html
new file mode 100644
index 00000000000000..a97fc170407431
--- /dev/null
+++ b/fetch/metadata/generated/window-history.sub.tentative.html
@@ -0,0 +1,161 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/window-history.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for navigation via the HTML History API</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  const whenDone = (win) => {
+    return new Promise((resolve) => {
+      addEventListener('message', function handle(event) {
+        if (event.source === win) {
+          resolve();
+          removeEventListener('message', handle);
+        }
+      });
+    })
+  };
+
+  /**
+   * Prime the UA's session history such that the location of the request is
+   * immediately behind the current entry. Because the location may not be
+   * same-origin with the current browsing context, this must be done via a
+   * true navigation and not, e.g. the `history.pushState` API. The initial
+   * navigation will alter the WPT server's internal state; in order to avoid
+   * false positives, clear that state prior to initiating the second
+   * navigation via `history.back`.
+   */
+  function induceBackRequest(url, test, clear) {
+    const win = window.open(url);
+
+    test.add_cleanup(() => win.close());
+
+    return whenDone(win)
+      .then(clear)
+      .then(() => win.history.back())
+      .then(() => whenDone(win));
+  }
+
+  /**
+   * Prime the UA's session history such that the location of the request is
+   * immediately ahead of the current entry. Because the location may not be
+   * same-origin with the current browsing context, this must be done via a
+   * true navigation and not, e.g. the `history.pushState` API. The initial
+   * navigation will alter the WPT server's internal state; in order to avoid
+   * false positives, clear that state prior to initiating the second
+   * navigation via `history.forward`.
+   */
+  function induceForwardRequest(url, test, clear) {
+    const win = window.open(messageOpenerUrl);
+
+    test.add_cleanup(() => win.close());
+
+    return whenDone(win)
+      .then(() => win.location = url)
+      .then(() => whenDone(win))
+      .then(clear)
+      .then(() => win.history.go(-2))
+      .then(() => whenDone(win))
+      .then(() => win.history.forward())
+      .then(() => whenDone(win));
+  }
+
+  const messageOpenerUrl = new URL(
+    '/fetch/metadata/resources/message-opener.html', location
+  );
+  // For these tests to function, replacement must *not* be enabled during
+  // navigation. Assignment must therefore take place after the document has
+  // completely loaded [1]. This event is not directly observable, but it is
+  // scheduled as a task immediately following the global object's `load`
+  // event [2]. By queuing a task during the dispatch of the `load` event,
+  // navigation can be consistently triggered without replacement.
+  //
+  // [1] https://html.spec.whatwg.org/multipage/history.html#location-object-setter-navigate
+  // [2] https://html.spec.whatwg.org/multipage/parsing.html#the-end
+  const responseParams = {
+    mime: 'text/html',
+    body: `<script>
+      window.addEventListener('load', () => {
+        set`+`Timeout(() => location.assign('${messageOpenerUrl}'));
+      });
+    <`+`/script>`
+  };
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpOrigin'], responseParams);
+
+    return induceBackRequest(url, t, () => retrieve(key))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination - history.back');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpOrigin'], responseParams);
+
+    return induceForwardRequest(url, t, () => retrieve(key))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination - history.forward');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpSameSite'], responseParams);
+
+    return induceBackRequest(url, t, () => retrieve(key))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination - history.back');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpSameSite'], responseParams);
+
+    return induceForwardRequest(url, t, () => retrieve(key))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination - history.forward');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
+
+    return induceBackRequest(url, t, () => retrieve(key))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination - history.back');
+
+  promise_test((t) => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
+
+    return induceForwardRequest(url, t, () => retrieve(key))
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination - history.forward');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/window-location.https.sub.tentative.html b/fetch/metadata/generated/window-location.https.sub.tentative.html
new file mode 100644
index 00000000000000..c5ce898971cd3c
--- /dev/null
+++ b/fetch/metadata/generated/window-location.https.sub.tentative.html
@@ -0,0 +1,225 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/window-location.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for navigation via the HTML Location API</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, navigate, userActivated) {
+    const win = window.open();
+
+    return new Promise((resolve) => {
+        addEventListener('message', function(event) {
+          if (event.source === win) {
+            resolve();
+          }
+        });
+
+        if (userActivated) {
+          test_driver.bless('enable user activation', () => {
+            navigate(win, url);
+          });
+        } else {
+          navigate(win, url);
+        }
+      })
+      .then(() => win.close());
+  }
+
+  const responseParams = {
+    mime: 'text/html',
+    body: `<script>opener.postMessage('done', '*')</${''}script>`
+  };
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsOrigin'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location = path;
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin - location');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsOrigin'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.href = path;
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin - location.href');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsOrigin'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.assign(path);
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin - location.assign');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsOrigin'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.replace(path);
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin - location.replace');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsCrossSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location = path;
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site - location');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsCrossSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.href = path;
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site - location.href');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsCrossSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.assign(path);
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site - location.assign');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsCrossSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.replace(path);
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site - location.replace');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsSameSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location = path;
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site - location');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsSameSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.href = path;
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site - location.href');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsSameSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.assign(path);
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site - location.assign');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpsSameSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.replace(path);
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site - location.replace');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/window-location.sub.tentative.html b/fetch/metadata/generated/window-location.sub.tentative.html
new file mode 100644
index 00000000000000..e0cf844ba23466
--- /dev/null
+++ b/fetch/metadata/generated/window-location.sub.tentative.html
@@ -0,0 +1,213 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/window-location.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for navigation via the HTML Location API</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <body>
+  <script>
+  'use strict';
+
+  function induceRequest(url, navigate, userActivated) {
+    const win = window.open();
+
+    return new Promise((resolve) => {
+        addEventListener('message', function(event) {
+          if (event.source === win) {
+            resolve();
+          }
+        });
+
+        if (userActivated) {
+          test_driver.bless('enable user activation', () => {
+            navigate(win, url);
+          });
+        } else {
+          navigate(win, url);
+        }
+      })
+      .then(() => win.close());
+  }
+
+  const responseParams = {
+    mime: 'text/html',
+    body: `<script>opener.postMessage('done', '*')</${''}script>`
+  };
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpOrigin'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location = path;
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination - location');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpOrigin'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.href = path;
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination - location.href');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpOrigin'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.assign(path);
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination - location.assign');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpOrigin'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.replace(path);
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination - location.replace');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpSameSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location = path;
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination - location');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpSameSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.href = path;
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination - location.href');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpSameSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.assign(path);
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination - location.assign');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpSameSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.replace(path);
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination - location.replace');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location = path;
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination - location');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.href = path;
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination - location.href');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.assign(path);
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination - location.assign');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(key, ['httpCrossSite'], responseParams);
+
+    const navigate = (win, path) => {
+      win.location.replace(path);
+    };
+    return induceRequest(url, navigate, false)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination - location.replace');
+  </script>
+  </body>
+</html>
diff --git a/fetch/metadata/generated/worker-dedicated-constructor.sub.tentative.html b/fetch/metadata/generated/worker-dedicated-constructor.sub.tentative.html
new file mode 100644
index 00000000000000..94474e59579459
--- /dev/null
+++ b/fetch/metadata/generated/worker-dedicated-constructor.sub.tentative.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/worker-dedicated-constructor.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for dedicated worker via the "Worker" constructor</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <script type="module">
+  'use strict';
+  function induceRequest(url, options) {
+    return new Promise((resolve, reject) => {
+      const worker = new Worker(url, options);
+      worker.onmessage = resolve;
+      worker.onerror = reject;
+    });
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key,
+      ['httpOrigin'],
+      { mime: 'application/javascript', body: 'postMessage("")' }
+    );
+
+    return induceRequest(url)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination, no options');
+  </script>
+</html>
diff --git a/fetch/metadata/generated/worker-dedicated-importscripts.https.sub.tentative.html b/fetch/metadata/generated/worker-dedicated-importscripts.https.sub.tentative.html
new file mode 100644
index 00000000000000..0f1bc350f342ba
--- /dev/null
+++ b/fetch/metadata/generated/worker-dedicated-importscripts.https.sub.tentative.html
@@ -0,0 +1,73 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/worker-dedicated-importscripts.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for dedicated worker via the "importScripts" API</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <script type="module">
+  'use strict';
+  function induceRequest(url, options) {
+    const src = `
+      importScripts('${url}');
+      postMessage('done');
+    `;
+    const workerUrl = URL.createObjectURL(
+      new Blob([src], { type: 'application/javascript' })
+    );
+    return new Promise((resolve, reject) => {
+      const worker = new Worker(workerUrl, options);
+      worker.onmessage = resolve;
+      worker.onerror = reject;
+    });
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpsOrigin'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-origin']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same origin');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpsCrossSite'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['cross-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Cross-site');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpsSameSite'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_own_property(headers, 'sec-fetch-frame-ancestors');
+          assert_array_equals(headers['sec-fetch-frame-ancestors'], ['same-site']);
+        });
+  }, 'sec-fetch-frame-ancestors - Same site');
+  </script>
+</html>
diff --git a/fetch/metadata/generated/worker-dedicated-importscripts.sub.tentative.html b/fetch/metadata/generated/worker-dedicated-importscripts.sub.tentative.html
new file mode 100644
index 00000000000000..e51f35e1314ee0
--- /dev/null
+++ b/fetch/metadata/generated/worker-dedicated-importscripts.sub.tentative.html
@@ -0,0 +1,70 @@
+<!DOCTYPE html>
+<!--
+This test was procedurally generated. Please do not modify it directly.
+Sources:
+- fetch/metadata/tools/fetch-metadata.conf.yml
+- fetch/metadata/tools/templates/worker-dedicated-importscripts.sub.html
+-->
+<html lang="en">
+  <meta charset="utf-8">
+  <title>HTTP headers on request for dedicated worker via the "importScripts" API</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/fetch/metadata/resources/helper.sub.js"></script>
+  <script type="module">
+  'use strict';
+  function induceRequest(url, options) {
+    const src = `
+      importScripts('${url}');
+      postMessage('done');
+    `;
+    const workerUrl = URL.createObjectURL(
+      new Blob([src], { type: 'application/javascript' })
+    );
+    return new Promise((resolve, reject) => {
+      const worker = new Worker(workerUrl, options);
+      worker.onmessage = resolve;
+      worker.onerror = reject;
+    });
+  }
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpOrigin'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-origin destination');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpSameSite'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy same-site destination');
+
+  promise_test(() => {
+    const key = '{{uuid()}}';
+    const url = makeRequestURL(
+      key, ['httpCrossSite'], { mime: 'application/javascript' }
+    );
+
+    return induceRequest(url)
+      .then(() => retrieve(key))
+      .then((headers) => {
+          assert_not_own_property(headers, 'sec-fetch-frame-ancestors');
+        });
+  }, 'sec-fetch-frame-ancestors - Not sent to non-trustworthy cross-site destination');
+  </script>
+</html>
diff --git a/fetch/metadata/tools/fetch-metadata.conf.yml b/fetch/metadata/tools/fetch-metadata.conf.yml
index 11e6140343638f..58d2f6e727a223 100644
--- a/fetch/metadata/tools/fetch-metadata.conf.yml
+++ b/fetch/metadata/tools/fetch-metadata.conf.yml
@@ -42,6 +42,18 @@ cases:
       - headerName: sec-fetch-user
         origins: [httpCrossSite]
         description: Not sent to non-trustworthy cross-site destination
+      - headerName: sec-fetch-frame-ancestors
+        filename_flags: [tentative]
+        origins: [httpOrigin]
+        description: Not sent to non-trustworthy same-origin destination
+      - headerName: sec-fetch-frame-ancestors
+        filename_flags: [tentative]
+        origins: [httpSameSite]
+        description: Not sent to non-trustworthy same-site destination
+      - headerName: sec-fetch-frame-ancestors
+        filename_flags: [tentative]
+        origins: [httpCrossSite]
+        description: Not sent to non-trustworthy cross-site destination
     template_axes:
       # The `audioWorklet` interface is only available in secure contexts
       # https://webaudio.github.io/web-audio-api/#BaseAudioContext
@@ -109,10 +121,13 @@ cases:
       - headerName: sec-fetch-user
         origins: [httpOrigin]
         description: Not sent to non-trustworthy same-origin destination
+      - headerName: sec-fetch-frame-ancestors
+        filename_flags: [tentative]
+        origins: [httpOrigin]
+        description: Not sent to non-trustworthy same-origin destination
     template_axes:
       # All the templates in this block are unused with the exception of
       # `worker-dedicated-constructor`
-      appcache-manifest.sub.https.html: []
       audioworklet.https.sub.html: []
       fetch-via-serviceworker.https.sub.html: []
       serviceworker.https.sub.html: []
@@ -449,6 +464,73 @@ cases:
       svg-image.sub.html: [{}]
       window-location.sub.html: [{}]
 
+  # Sec-Fetch-Frame-Ancestors - direct requests
+  - all_subtests:
+      headerName: sec-fetch-frame-ancestors
+      filename_flags: [https, tentative]
+    common_axis:
+      - description: Same origin
+        origins: [httpsOrigin]
+        expected: same-origin
+      - description: Cross-site
+        origins: [httpsCrossSite]
+        expected: cross-site
+      - description: Same site
+        origins: [httpsSameSite]
+        expected: same-site
+    template_axes:
+      # Unused
+      # - the request mode of all "classic" worker scripts is set to
+      #   "same-origin"
+      #   https://html.spec.whatwg.org/#fetch-a-classic-worker-script
+      # - the request mode of all "top-level "module" worker scripts is set to
+      #   "same-origin":
+      #   https://html.spec.whatwg.org/#fetch-a-single-module-script
+      worker-dedicated-constructor.sub.html: []
+
+      audioworklet.https.sub.html: [{}]
+      css-images.sub.html:
+        - filename_flags: [tentative]
+      css-font-face.sub.html:
+        - filename_flags: [tentative]
+      element-a.sub.html: [{}]
+      element-area.sub.html: [{}]
+      element-audio.sub.html: [{}]
+      element-embed.sub.html: [{}]
+      element-frame.sub.html: [{}]
+      element-iframe.sub.html: [{}]
+      element-img.sub.html:
+        - sourceAttr: src
+        - sourceAttr: srcset
+      element-img-environment-change.sub.html: [{}]
+      element-input-image.sub.html: [{}]
+      element-link-icon.sub.html: [{}]
+      element-link-prefetch.optional.sub.html: [{}]
+      element-meta-refresh.optional.sub.html: [{}]
+      element-picture.sub.html: [{}]
+      element-script.sub.html:
+        - {}
+        - elementAttrs: { type: module }
+      element-video.sub.html: [{}]
+      element-video-poster.sub.html: [{}]
+      fetch.sub.html: [{ init: { mode: no-cors } }]
+      fetch-via-serviceworker.https.sub.html: [{ init: { mode: no-cors } }]
+      form-submission.sub.html:
+        - method: GET
+        - method: POST
+      header-link.sub.html:
+        - rel: icon
+        - rel: stylesheet
+      header-refresh.optional.sub.html: [{}]
+      window-location.sub.html: [{}]
+      script-module-import-dynamic.sub.html: [{}]
+      script-module-import-static.sub.html: [{}]
+      serviceworker.https.sub.html: [{}]
+      svg-image.sub.html: [{}]
+      window-history.sub.html: [{}]
+      worker-dedicated-importscripts.sub.html: [{}]
+
+
   # Sec-Fetch-Mode
   # These tests are served over HTTPS so the induced requests will be both
   # same-origin with the document [1] and a potentially-trustworthy URL [2].