diff --git a/testing/web-platform/meta/MANIFEST.json b/testing/web-platform/meta/MANIFEST.json
index 5d752dc6fdc8..c899a750037d 100644
--- a/testing/web-platform/meta/MANIFEST.json
+++ b/testing/web-platform/meta/MANIFEST.json
@@ -277642,6 +277642,31 @@
      {}
     ]
    ],
+   "fetch/sec-metadata/README.md": [
+    [
+     {}
+    ]
+   ],
+   "fetch/sec-metadata/resources/echo-as-json.py": [
+    [
+     {}
+    ]
+   ],
+   "fetch/sec-metadata/resources/echo-as-script.py": [
+    [
+     {}
+    ]
+   ],
+   "fetch/sec-metadata/resources/helper.js": [
+    [
+     {}
+    ]
+   ],
+   "fetch/sec-metadata/resources/post-to-owner.py": [
+    [
+     {}
+    ]
+   ],
    "fetch/security/support/embedded-credential-window.sub.html": [
     [
      {}
@@ -334285,6 +334310,38 @@
      {}
     ]
    ],
+   "fetch/sec-metadata/fetch.tentative.https.sub.html": [
+    [
+     "/fetch/sec-metadata/fetch.tentative.https.sub.html",
+     {}
+    ]
+   ],
+   "fetch/sec-metadata/iframe.tentative.https.sub.html": [
+    [
+     "/fetch/sec-metadata/iframe.tentative.https.sub.html",
+     {}
+    ]
+   ],
+   "fetch/sec-metadata/img.tentative.https.sub.html": [
+    [
+     "/fetch/sec-metadata/img.tentative.https.sub.html",
+     {}
+    ]
+   ],
+   "fetch/sec-metadata/script.tentative.https.sub.html": [
+    [
+     "/fetch/sec-metadata/script.tentative.https.sub.html",
+     {}
+    ]
+   ],
+   "fetch/sec-metadata/window-open.tentative.https.sub.html": [
+    [
+     "/fetch/sec-metadata/window-open.tentative.https.sub.html",
+     {
+      "testdriver": true
+     }
+    ]
+   ],
    "fetch/security/dangling-markup-mitigation-data-url.tentative.sub.html": [
     [
      "/fetch/security/dangling-markup-mitigation-data-url.tentative.sub.html",
@@ -565068,6 +565125,46 @@
    "a9e0f5b9b70917aabbff3ad5dd03a5d5dccfa9f0",
    "testharness"
   ],
+  "fetch/sec-metadata/README.md": [
+   "75d58b35c1e5572d02dd3ad90ac65301e35c4bc7",
+   "support"
+  ],
+  "fetch/sec-metadata/fetch.tentative.https.sub.html": [
+   "6ce26d3683b78ca74a20b14ccca077cf375d742b",
+   "testharness"
+  ],
+  "fetch/sec-metadata/iframe.tentative.https.sub.html": [
+   "0308cd613a3099bf04469fba6273f46db991d49c",
+   "testharness"
+  ],
+  "fetch/sec-metadata/img.tentative.https.sub.html": [
+   "63a6c8a45102527079acb81d1c57d5dc49c07e4b",
+   "testharness"
+  ],
+  "fetch/sec-metadata/resources/echo-as-json.py": [
+   "bbe86e17580229158500722115a1347ca8fa2abb",
+   "support"
+  ],
+  "fetch/sec-metadata/resources/echo-as-script.py": [
+   "f3de57b64101ddcff326bbef8132a905d31356ce",
+   "support"
+  ],
+  "fetch/sec-metadata/resources/helper.js": [
+   "64d204e36b6ab3b7268d6fd8e0694081222b98ee",
+   "support"
+  ],
+  "fetch/sec-metadata/resources/post-to-owner.py": [
+   "2f57a1ddf411864ad2b1ba75f95453d9ed54e3f6",
+   "support"
+  ],
+  "fetch/sec-metadata/script.tentative.https.sub.html": [
+   "147291288dacf51942cadc8a85f7842c3bf19b34",
+   "testharness"
+  ],
+  "fetch/sec-metadata/window-open.tentative.https.sub.html": [
+   "116c597fb1909f7c4a67c8ada3bfeb6c011d7b04",
+   "testharness"
+  ],
   "fetch/security/dangling-markup-mitigation-data-url.tentative.sub.html": [
    "1059b1c0907444bd416889f99d766a566ba9bde3",
    "testharness"
diff --git a/testing/web-platform/tests/fetch/sec-metadata/README.md b/testing/web-platform/tests/fetch/sec-metadata/README.md
new file mode 100644
index 000000000000..c460aa1ecb94
--- /dev/null
+++ b/testing/web-platform/tests/fetch/sec-metadata/README.md
@@ -0,0 +1,11 @@
+`Sec-Metadata` Tests
+====================
+
+This directory contains tests related to the `Sec-Metadata` proposal:
+
+:   Explainer
+::  <https://github.com/mikewest/sec-metadata>
+:   "Spec"
+::  <https://mikewest.github.io/sec-metadata/>
+
+Note: All of this is tentative, and will change (rapidly).
diff --git a/testing/web-platform/tests/fetch/sec-metadata/fetch.tentative.https.sub.html b/testing/web-platform/tests/fetch/sec-metadata/fetch.tentative.https.sub.html
new file mode 100644
index 000000000000..1128218b4e8c
--- /dev/null
+++ b/testing/web-platform/tests/fetch/sec-metadata/fetch.tentative.https.sub.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/fetch/sec-metadata/resources/helper.js></script>
+<script>
+  promise_test(t => {
+    return fetch("https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-json.py")
+        .then(r => r.json())
+        .then(j => {
+          assert_header_equals(j.header, {
+            "cause": "forced",
+            "destination": "\"\"",
+            "target": "subresource",
+            "site": "same-origin"
+          });
+        });
+  }, "Same-origin fetch");
+
+  promise_test(t => {
+    return fetch("https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-json.py")
+        .then(r => r.json())
+        .then(j => {
+          assert_header_equals(j.header, {
+            "cause": "forced",
+            "destination": "\"\"",
+            "target": "subresource",
+            "site": "same-site"
+          });
+        });
+  }, "Same-site fetch");
+
+  promise_test(t => {
+    return fetch("https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-json.py")
+        .then(r => r.json())
+        .then(j => {
+          assert_header_equals(j.header, {
+            "cause": "forced",
+            "destination": "\"\"",
+            "target": "subresource",
+            "site": "cross-site"
+          });
+        });
+  }, "Cross-site fetch");
+</script>
diff --git a/testing/web-platform/tests/fetch/sec-metadata/iframe.tentative.https.sub.html b/testing/web-platform/tests/fetch/sec-metadata/iframe.tentative.https.sub.html
new file mode 100644
index 000000000000..5b56c62ad713
--- /dev/null
+++ b/testing/web-platform/tests/fetch/sec-metadata/iframe.tentative.https.sub.html
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/fetch/sec-metadata/resources/helper.js></script>
+<body>
+<script>
+  async_test(t => {
+    let i = document.createElement('iframe');
+    i.src = "https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py";
+    window.addEventListener('message', t.step_func(e => {
+      if (e.source != i.contentWindow)
+        return;
+
+      assert_header_equals(e.data, {
+        "cause": "forced",
+        "destination": "document",
+        "target": "nested",
+        "site": "same-origin"
+      });
+      t.done();
+    }));
+
+    document.body.appendChild(i);
+  }, "Same-origin iframe");
+
+  async_test(t => {
+    let i = document.createElement('iframe');
+    i.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py";
+    window.addEventListener('message', t.step_func(e => {
+      if (e.source != i.contentWindow)
+        return;
+
+      assert_header_equals(e.data, {
+        "cause": "forced",
+        "destination": "document",
+        "target": "nested",
+        "site": "same-site"
+      });
+      t.done();
+    }));
+
+    document.body.appendChild(i);
+  }, "Same-site iframe");
+
+  async_test(t => {
+    let i = document.createElement('iframe');
+    i.src = "https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py";
+    window.addEventListener('message', t.step_func(e => {
+      if (e.source != i.contentWindow)
+        return;
+
+      assert_header_equals(e.data, {
+        "cause": "forced",
+        "destination": "document",
+        "target": "nested",
+        "site": "cross-site"
+      });
+      t.done();
+    }));
+
+    document.body.appendChild(i);
+  }, "Cross-site iframe");
+</script>
diff --git a/testing/web-platform/tests/fetch/sec-metadata/img.tentative.https.sub.html b/testing/web-platform/tests/fetch/sec-metadata/img.tentative.https.sub.html
new file mode 100644
index 000000000000..9d17462ea463
--- /dev/null
+++ b/testing/web-platform/tests/fetch/sec-metadata/img.tentative.https.sub.html
@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/referrer-policy/generic/common.js></script>
+<script src=/fetch/sec-metadata/resources/helper.js></script>
+<body>
+<script>
+  // These tests reuse the `referrer-policy` infrastructure to load images that
+  // encode their request headers in their pixels. Fun stuff!
+  async_test(t => {
+    loadImageInWindow(
+      "https://{{host}}:{{ports[https][0]}}/referrer-policy/generic/subresource/image.py",
+      t.step_func_done(img => {
+        assert_header_equals(decodeImageData(extractImageData(img)).headers["sec-metadata"], {
+          "cause": "forced",
+          "destination": "image",
+          "target": "subresource",
+          "site": "same-origin"
+        });
+      }),
+      [],
+      window);
+  }, "Same-origin image");
+
+  async_test(t => {
+    loadImageInWindow(
+      "https://{{hosts[][www]}}:{{ports[https][0]}}/referrer-policy/generic/subresource/image.py",
+      t.step_func_done(img => {
+        assert_header_equals(decodeImageData(extractImageData(img)).headers["sec-metadata"], {
+          "cause": "forced",
+          "destination": "image",
+          "target": "subresource",
+          "site": "same-site"
+        });
+      }),
+      [],
+      window);
+  }, "Same-site image");
+
+  async_test(t => {
+    loadImageInWindow(
+      "https://{{hosts[alt][www]}}:{{ports[https][0]}}/referrer-policy/generic/subresource/image.py",
+      t.step_func_done(img => {
+        assert_header_equals(decodeImageData(extractImageData(img)).headers["sec-metadata"], {
+          "cause": "forced",
+          "destination": "image",
+          "target": "subresource",
+          "site": "cross-site"
+        });
+      }),
+      [],
+      window);
+  }, "Cross-site image");
+</script>
diff --git a/testing/web-platform/tests/fetch/sec-metadata/resources/echo-as-json.py b/testing/web-platform/tests/fetch/sec-metadata/resources/echo-as-json.py
new file mode 100644
index 000000000000..a45bb6865461
--- /dev/null
+++ b/testing/web-platform/tests/fetch/sec-metadata/resources/echo-as-json.py
@@ -0,0 +1,12 @@
+import json
+
+def main(request, response):
+    headers = [("Content-Type", "application/json"),
+               ("Access-Control-Allow-Credentials", "true")]
+
+    if "origin" in request.headers:
+        headers.append(("Access-Control-Allow-Origin", request.headers["origin"]))
+
+
+    body = json.dumps({ "header": request.headers["sec-metadata"] })
+    return headers, body
diff --git a/testing/web-platform/tests/fetch/sec-metadata/resources/echo-as-script.py b/testing/web-platform/tests/fetch/sec-metadata/resources/echo-as-script.py
new file mode 100644
index 000000000000..c503822d5c60
--- /dev/null
+++ b/testing/web-platform/tests/fetch/sec-metadata/resources/echo-as-script.py
@@ -0,0 +1,8 @@
+import json
+
+def main(request, response):
+    headers = [("Content-Type", "text/javascript")]
+
+    body = "var header = %s;" % json.dumps(request.headers["sec-metadata"]);
+
+    return headers, body
diff --git a/testing/web-platform/tests/fetch/sec-metadata/resources/helper.js b/testing/web-platform/tests/fetch/sec-metadata/resources/helper.js
new file mode 100644
index 000000000000..5754b5009e3c
--- /dev/null
+++ b/testing/web-platform/tests/fetch/sec-metadata/resources/helper.js
@@ -0,0 +1,16 @@
+function parse_metadata(value) {
+  let result = {};
+  value.split(',').forEach(item => {
+    let parsed = item.trim().split('=');
+    result[parsed[0]] = parsed[1];
+  });
+  return result;
+}
+
+function assert_header_equals(value, expected) {
+  let result = parse_metadata(value);
+  assert_equals(result.cause, expected.cause, "cause");
+  assert_equals(result.destination, expected.destination, "destination");
+  assert_equals(result.target, expected.target, "target");
+  assert_equals(result.site, expected.site, "site");
+}
diff --git a/testing/web-platform/tests/fetch/sec-metadata/resources/post-to-owner.py b/testing/web-platform/tests/fetch/sec-metadata/resources/post-to-owner.py
new file mode 100644
index 000000000000..fe08cd1cbcaa
--- /dev/null
+++ b/testing/web-platform/tests/fetch/sec-metadata/resources/post-to-owner.py
@@ -0,0 +1,16 @@
+import json
+
+def main(request, response):
+    headers = [("Content-Type", "text/html")]
+
+    body = """
+        <!DOCTYPE html>
+        <script>
+            var data = %s;
+            if (window.opener)
+                window.opener.postMessage(data, "*");
+            if (window.top != window)
+                window.top.postMessage(data, "*");
+        </script>
+    """ % json.dumps(request.headers["sec-metadata"])
+    return headers, body
diff --git a/testing/web-platform/tests/fetch/sec-metadata/script.tentative.https.sub.html b/testing/web-platform/tests/fetch/sec-metadata/script.tentative.https.sub.html
new file mode 100644
index 000000000000..1916f670c332
--- /dev/null
+++ b/testing/web-platform/tests/fetch/sec-metadata/script.tentative.https.sub.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/fetch/sec-metadata/resources/helper.js></script>
+
+<!-- Same-origin script -->
+<script src="https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-script.py"></script>
+<script>
+  test(t => {
+    t.add_cleanup(_ => header = null);
+
+    assert_header_equals(header, {
+      "cause": "forced",
+      "destination": "script",
+      "target": "subresource",
+      "site": "same-origin"
+    });
+  }, "Same-origin script");
+</script>
+
+<!-- Same-site script -->
+<script src="https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-script.py"></script>
+<script>
+  test(t => {
+    t.add_cleanup(_ => header = null);
+
+    assert_header_equals(header, {
+      "cause": "forced",
+      "destination": "script",
+      "target": "subresource",
+      "site": "same-site"
+    });
+  }, "Same-site script");
+</script>
+
+<!-- Cross-site script -->
+<script src="https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-script.py"></script>
+<script>
+  test(t => {
+    t.add_cleanup(_ => header = null);
+
+    assert_header_equals(header, {
+      "cause": "forced",
+      "destination": "script",
+      "target": "subresource",
+      "site": "cross-site"
+    });
+  }, "Cross-site script");
+</script>
diff --git a/testing/web-platform/tests/fetch/sec-metadata/window-open.tentative.https.sub.html b/testing/web-platform/tests/fetch/sec-metadata/window-open.tentative.https.sub.html
new file mode 100644
index 000000000000..1f9df663f1da
--- /dev/null
+++ b/testing/web-platform/tests/fetch/sec-metadata/window-open.tentative.https.sub.html
@@ -0,0 +1,127 @@
+<!DOCTYPE html>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/resources/testdriver.js></script>
+<script src=/resources/testdriver-vendor.js></script>
+<script src=/fetch/sec-metadata/resources/helper.js></script>
+<body>
+<script>
+  // Forced navigations:
+  async_test(t => {
+    let w = window.open("https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py");
+    t.add_cleanup(_ => w.close());
+    window.addEventListener('message', t.step_func(e => {
+      if (e.source != w)
+        return;
+
+      assert_header_equals(e.data, {
+        "cause": "forced",
+        "destination": "document",
+        "target": "top-level",
+        "site": "same-origin"
+      });
+      t.done();
+    }));
+  }, "Same-origin window, forced");
+
+  async_test(t => {
+    let w = window.open("https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py");
+    t.add_cleanup(_ => w.close());
+    window.addEventListener('message', t.step_func(e => {
+      if (e.source != w)
+        return;
+
+      assert_header_equals(e.data, {
+        "cause": "forced",
+        "destination": "document",
+        "target": "top-level",
+        "site": "same-site"
+      });
+      t.done();
+    }));
+  }, "Same-site window, forced");
+
+  async_test(t => {
+    let w = window.open("https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py");
+    t.add_cleanup(_ => w.close());
+    window.addEventListener('message', t.step_func(e => {
+      if (e.source != w)
+        return;
+
+      assert_header_equals(e.data, {
+        "cause": "forced",
+        "destination": "document",
+        "target": "top-level",
+        "site": "cross-site"
+      });
+      t.done();
+    }));
+  }, "Cross-site window, forced");
+
+  // User-activated navigations:
+  async_test(t => {
+    let b = document.createElement('button');
+    b.onclick = t.step_func(_ => {
+      let w = window.open("https://{{host}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py");
+      t.add_cleanup(_ => w.close());
+      window.addEventListener('message', t.step_func(e => {
+        if (e.source != w)
+          return;
+
+        assert_header_equals(e.data, {
+          "cause": "user-activated",
+          "destination": "document",
+          "target": "top-level",
+          "site": "same-origin"
+        });
+        t.done();
+      }));
+    });
+    document.body.appendChild(b);
+    test_driver.click(b);
+  }, "Same-origin window, user-activated");
+
+  async_test(t => {
+    let b = document.createElement('button');
+    b.onclick = t.step_func(_ => {
+      let w = window.open("https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py");
+      t.add_cleanup(_ => w.close());
+      window.addEventListener('message', t.step_func(e => {
+        if (e.source != w)
+          return;
+
+        assert_header_equals(e.data, {
+          "cause": "user-activated",
+          "destination": "document",
+          "target": "top-level",
+          "site": "same-site"
+        });
+        t.done();
+      }));
+    });
+    document.body.appendChild(b);
+    test_driver.click(b);
+  }, "Same-site window, user-activated");
+
+  async_test(t => {
+    let b = document.createElement('button');
+    b.onclick = t.step_func(_ => {
+      let w = window.open("https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/post-to-owner.py");
+      t.add_cleanup(_ => w.close());
+      window.addEventListener('message', t.step_func(e => {
+        if (e.source != w)
+          return;
+
+        assert_header_equals(e.data, {
+          "cause": "user-activated",
+          "destination": "document",
+          "target": "top-level",
+          "site": "cross-site"
+        });
+        t.done();
+      }));
+    });
+    document.body.appendChild(b);
+    test_driver.click(b);
+  }, "Cross-site window, user-activated");
+</script>