diff --git a/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html b/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html
new file mode 100644
index 00000000000000..77ecdaff9fe36e
--- /dev/null
+++ b/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html
@@ -0,0 +1,25 @@
+
+
Federated Credential Management API SameSite=None tests.
+
+
+
+
+
+
+
+
+
diff --git a/credential-management/support/fedcm-helper.sub.js b/credential-management/support/fedcm-helper.sub.js
index 765b3cc48a9019..25fdb0995c1a2b 100644
--- a/credential-management/support/fedcm-helper.sub.js
+++ b/credential-management/support/fedcm-helper.sub.js
@@ -22,7 +22,7 @@ export function open_and_wait_for_popup(origin, path) {
// Set the identity provider cookie.
export function set_fedcm_cookie(host) {
if (host == undefined) {
- document.cookie = 'cookie=1; SameSite=Strict; Path=/credential-management/support; Secure';
+ document.cookie = 'cookie=1; SameSite=None; Path=/credential-management/support; Secure';
return Promise.resolve();
} else {
return open_and_wait_for_popup(host, '/credential-management/support/set_cookie');
diff --git a/credential-management/support/fedcm/accounts_check_same_site_strict.py b/credential-management/support/fedcm/accounts_check_same_site_strict.py
new file mode 100644
index 00000000000000..a6f385feac1ccf
--- /dev/null
+++ b/credential-management/support/fedcm/accounts_check_same_site_strict.py
@@ -0,0 +1,28 @@
+import importlib
+error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
+
+def main(request, response):
+ request_error = error_checker.accountsCheck(request)
+ if (request_error):
+ return request_error
+ if request.cookies.get(b"same_site_strict") == b"1":
+ return (546, [], "Should not send SameSite=Strict cookies")
+ if request.headers.get(b"Sec-Fetch-Site") != b"cross-site":
+ return (538, [], "Wrong Sec-Fetch-Site header")
+
+ response.headers.set(b"Content-Type", b"application/json")
+
+ return """
+{
+ "accounts": [{
+ "id": "1234",
+ "given_name": "John",
+ "name": "John Doe",
+ "email": "john_doe@idp.example",
+ "picture": "https://idp.example/profile/123",
+ "approved_clients": ["123", "456", "789"],
+ "login_hints": ["john_doe"],
+ "domain_hints": ["idp.example", "example"]
+ }]
+}
+"""
diff --git a/credential-management/support/fedcm/manifest_check_same_site_strict.json b/credential-management/support/fedcm/manifest_check_same_site_strict.json
new file mode 100644
index 00000000000000..d7304159834804
--- /dev/null
+++ b/credential-management/support/fedcm/manifest_check_same_site_strict.json
@@ -0,0 +1,7 @@
+{
+ "accounts_endpoint": "accounts_check_same_site_strict.py",
+ "client_metadata_endpoint": "client_metadata.py",
+ "id_assertion_endpoint": "token_check_same_site_strict.py",
+ "login_url": "login.html"
+}
+
diff --git a/credential-management/support/fedcm/request-params-check.py b/credential-management/support/fedcm/request-params-check.py
index b774496d5dab3e..6c610e6e201dd1 100644
--- a/credential-management/support/fedcm/request-params-check.py
+++ b/credential-management/support/fedcm/request-params-check.py
@@ -17,8 +17,6 @@ def commonUncredentialedRequestCheck(request):
def commonCredentialedRequestCheck(request):
if request.cookies.get(b"cookie") != b"1":
return (537, [], "Missing cookie")
- if request.headers.get(b"Sec-Fetch-Site") != b"none":
- return (538, [], "Wrong Sec-Fetch-Site header")
def commonPostCheck(request):
if not request.headers.get(b"Origin"):
diff --git a/credential-management/support/fedcm/token_check_same_site_strict.py b/credential-management/support/fedcm/token_check_same_site_strict.py
new file mode 100644
index 00000000000000..8a4b3a234bdb99
--- /dev/null
+++ b/credential-management/support/fedcm/token_check_same_site_strict.py
@@ -0,0 +1,15 @@
+import importlib
+error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
+
+def main(request, response):
+ request_error = error_checker.tokenCheck(request)
+ if (request_error):
+ return request_error
+ if request.cookies.get(b"same_site_strict") == b"1":
+ return (546, [], "Should not send SameSite=Strict cookies")
+
+ response.headers.set(b"Content-Type", b"application/json")
+ response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+ response.headers.set(b"Access-Control-Allow-Credentials", "true")
+
+ return "{\"token\": \"token\"}"
diff --git a/credential-management/support/set_cookie.headers b/credential-management/support/set_cookie.headers
index b19ff933a6f585..4226ff4c9975cc 100644
--- a/credential-management/support/set_cookie.headers
+++ b/credential-management/support/set_cookie.headers
@@ -1,2 +1,3 @@
Content-Type: text/html
Set-Cookie: cookie=1; SameSite=None; Secure
+Set-Cookie: same_site_strict=1; SameSite=Strict; Secure