From 69d21141c2b75c383554b39a9c8d690aaf12e5f4 Mon Sep 17 00:00:00 2001
From: Camillia Smith Barnes <cammie@chromium.org>
Date: Fri, 26 Jul 2024 15:46:57 +0000
Subject: [PATCH] Bug 1909971 [wpt PR 47296] - Shared Storage: Align
 createWorklet's default data origin w/addModule's, a=testonly

Automatic update from web-platform-tests
Shared Storage: Align createWorklet's default data origin w/addModule's

We align the default data origin for createWorklet with that of
addModule to be the invoking context's origin. We also hook up the
dataOrigin option in createWorklet's options dictionary, so that
the script origin can be manually specified to be used as the data
origin instead.

See https://github.com/WICG/shared-storage/pull/158,
https://github.com/WICG/shared-storage/pull/161, and
https://groups.google.com/a/chromium.org/g/blink-dev/c/YZ4XGewKVuk.

Bug: 353738488
Change-Id: I3578e48f14c9fb1005211b94889ce01ef209162c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5716903
Reviewed-by: Yao Xiao <yaoxia@chromium.org>
Commit-Queue: Cammie Smith Barnes <cammie@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1333189}

--

wpt-commits: 71b107815a391a469b081cbb9242e1723ede50fb
wpt-pr: 47296
---
 ...-permissions-policy-default.https.sub.html |  4 +-
 ...ion-permissions-policy-none.https.sub.html |  4 +-
 ...ion-permissions-policy-self.https.sub.html |  4 +-
 .../private-aggregation/resources/util.js     |  6 +-
 ...let-with-data-url.tentative.https.sub.html | 21 +++++-
 ...edentials-include.tentative.https.sub.html | 47 ++++++++++---
 ...-credentials-omit.tentative.https.sub.html | 46 +++++++++++--
 ...tials-same-origin.tentative.https.sub.html | 46 +++++++++++--
 ...n-worklet-allowed.tentative.https.sub.html | 31 ---------
 ...allow-credentials.tentative.https.sub.html | 41 ++++++++++--
 ...trol-allow-origin.tentative.https.sub.html | 40 +++++++++--
 ...n-worklet-allowed.tentative.https.sub.html | 30 ---------
 ...n-worklet-allowed.tentative.https.sub.html | 66 +++++++++++++++++++
 ...n-worklet-allowed.tentative.https.sub.html | 60 +++++++++++++++++
 ...erify-data-origin.tentative.https.sub.html | 32 +++++++--
 ...et-in-sandboxed-frame-inner.https.sub.html |  4 +-
 .../shared-storage/resources/util.sub.js      | 18 +++--
 .../verify-shared-storage.https.html          |  3 +
 ...ns-policy-default.tentative.https.sub.html |  2 +-
 ...sions-policy-none.tentative.https.sub.html |  2 +-
 ...sions-policy-self.tentative.https.sub.html |  2 +-
 ...e-in-sandboxed-iframe.tentative.https.html | 16 ++++-
 ...ns-policy-default.tentative.https.sub.html |  2 +-
 ...sions-policy-none.tentative.https.sub.html |  2 +-
 ...sions-policy-self.tentative.https.sub.html |  2 +-
 25 files changed, 408 insertions(+), 123 deletions(-)
 delete mode 100644 testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-false-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
 delete mode 100644 testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
 create mode 100644 testing/web-platform/tests/shared-storage/cross-origin-create-worklet-false-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
 create mode 100644 testing/web-platform/tests/shared-storage/cross-origin-create-worklet-missing-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html

diff --git a/testing/web-platform/tests/private-aggregation/private-aggregation-permissions-policy-default.https.sub.html b/testing/web-platform/tests/private-aggregation/private-aggregation-permissions-policy-default.https.sub.html
index 81e0c241184b6..3deb607705152 100644
--- a/testing/web-platform/tests/private-aggregation/private-aggregation-permissions-policy-default.https.sub.html
+++ b/testing/web-platform/tests/private-aggregation/private-aggregation-permissions-policy-default.https.sub.html
@@ -34,8 +34,8 @@
   await CreateWorkletAndVerifyContributeToHistogram(
       /*shared_storage_origin=*/cross_origin, paa_data);
 }, 'In a page with default "private-aggregation" permissions policy, ' +
-   'createWorklet() with cross-origin script, and then execute ' +
-   'contributeToHistogram() inside the worklet');
+   'createWorklet() with cross-origin script and script data origin, and then '
+   + 'execute contributeToHistogram() inside the worklet');
 
 </script>
 </body>
diff --git a/testing/web-platform/tests/private-aggregation/private-aggregation-permissions-policy-none.https.sub.html b/testing/web-platform/tests/private-aggregation/private-aggregation-permissions-policy-none.https.sub.html
index a10efe95c4bb7..92fd2d5f36095 100644
--- a/testing/web-platform/tests/private-aggregation/private-aggregation-permissions-policy-none.https.sub.html
+++ b/testing/web-platform/tests/private-aggregation/private-aggregation-permissions-policy-none.https.sub.html
@@ -34,8 +34,8 @@
   await CreateWorkletAndVerifyContributeToHistogram(
       /*shared_storage_origin=*/cross_origin, paa_data, /*expected_error=*/true);
 }, 'In a page with "private-aggregation=()" permissions policy, ' +
-   'createWorklet() with cross-origin script, and then execute ' +
-   'contributeToHistogram() inside the worklet');
+   'createWorklet() with cross-origin script and script data origin, and then '
+   + 'execute contributeToHistogram() inside the worklet');
 
 </script>
 </body>
diff --git a/testing/web-platform/tests/private-aggregation/private-aggregation-permissions-policy-self.https.sub.html b/testing/web-platform/tests/private-aggregation/private-aggregation-permissions-policy-self.https.sub.html
index 0ec4c6b400dd6..56b98356548e3 100644
--- a/testing/web-platform/tests/private-aggregation/private-aggregation-permissions-policy-self.https.sub.html
+++ b/testing/web-platform/tests/private-aggregation/private-aggregation-permissions-policy-self.https.sub.html
@@ -34,8 +34,8 @@
   await CreateWorkletAndVerifyContributeToHistogram(
       /*shared_storage_origin=*/cross_origin, paa_data, /*expected_error=*/true);
 }, 'In a page with "private-aggregation=(self)" permissions policy, ' +
-   'createWorklet() with cross-origin script, and then execute ' +
-   'contributeToHistogram() inside the worklet');
+   'createWorklet() with cross-origin script and script data origin, and then '
+   + 'execute contributeToHistogram() inside the worklet');
 
 </script>
 </body>
diff --git a/testing/web-platform/tests/private-aggregation/resources/util.js b/testing/web-platform/tests/private-aggregation/resources/util.js
index a4e7e905c65f0..64f638684ba3f 100644
--- a/testing/web-platform/tests/private-aggregation/resources/util.js
+++ b/testing/web-platform/tests/private-aggregation/resources/util.js
@@ -35,8 +35,10 @@ async function CreateWorkletAndVerifyContributeToHistogram(shared_storage_origin
   let url1 = generateURL("/shared-storage/resources/frame1.html",
                          [ancestor_key]);
 
-  let worklet = await sharedStorage.createWorklet(shared_storage_origin +
-          "/private-aggregation/resources/shared-storage-helper-module.js");
+  let worklet = await sharedStorage.createWorklet(
+      shared_storage_origin +
+          '/private-aggregation/resources/shared-storage-helper-module.js',
+      {dataOrigin: 'script-origin'});
 
   let select_url_result = await worklet.selectURL(
     "contribute-to-histogram", [{url: url0}, {url: url1}],
diff --git a/testing/web-platform/tests/shared-storage/add-module-or-create-worklet-with-data-url.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/add-module-or-create-worklet-with-data-url.tentative.https.sub.html
index 8bc785efcb6c2..548165073342e 100644
--- a/testing/web-platform/tests/shared-storage/add-module-or-create-worklet-with-data-url.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/add-module-or-create-worklet-with-data-url.tentative.https.sub.html
@@ -15,11 +15,28 @@
 }, 'addModule() with data URL module script');
 
 promise_test(async t => {
-  // Opaque data origins are not permitted.
-  return promise_rejects_dom(t, "InvalidAccessError",
+  // Loading the worklet script uses CORS, which doesn't support the data
+  // scheme.
+  return promise_rejects_dom(t, "OperationError",
                              sharedStorage.createWorklet(
                                `data:application/javascript;alert("Hi!")`));
 }, 'createWorklet() with data URL module script and default data origin');
 
+promise_test(async t => {
+  // Loading the worklet script uses CORS, which doesn't support the data
+  // scheme.
+  return promise_rejects_dom(t, "OperationError",
+                             sharedStorage.createWorklet(
+                                 `data:application/javascript;alert("Hi!")`,
+                                 { dataOrigin: "context-origin" }));
+}, 'createWorklet() with data URL module script and dataOrigin "context-origin"');
+
+promise_test(async t => {
+  // Opaque data origins are not permitted.
+  return promise_rejects_dom(t, "InvalidAccessError",
+                             sharedStorage.createWorklet(
+                                 `data:application/javascript;alert("Hi!")`,
+                                 { dataOrigin: "script-origin" }));
+}, 'createWorklet() with data URL module script and dataOrigin "script-origin"');
 </script>
 </body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-include.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-include.tentative.https.sub.html
index 4c0e91c15613f..3b73f92d31175 100644
--- a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-include.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-include.tentative.https.sub.html
@@ -9,7 +9,8 @@
 <script>
 'use strict';
 
-promise_test(async () => {
+async function verifyStoreCookieCrossOriginCreateWorkletIncludeCredentials(
+    helper_url_params, data_origin_option) {
   const ancestor_key = token();
   const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
   const set_cookie_url = crossOrigin + `/cookies/resources/set-cookie.py` +
@@ -17,16 +18,15 @@
                          `&path=/shared-storage/`;
   const helper_url = crossOrigin +
                      `/shared-storage/resources/credentials-test-helper.py` +
-                     `?access_control_allow_origin_header=${window.origin}` +
-                     `&access_control_allow_credentials_header=true` +
-                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
-                     `&token=${ancestor_key}`;
+                     helper_url_params + `&token=${ancestor_key}`;
 
   await fetch(set_cookie_url, { mode: 'no-cors', credentials: 'include' });
 
+  const options = (data_origin_option === '') ? { credentials: "include" }
+        : { credentials: "include", dataOrigin: data_origin_option };
+
   const worklet = await sharedStorage.createWorklet(
-    helper_url + `&action=store-cookie`,
-    { credentials: "include" });
+    helper_url + `&action=store-cookie`, options);
 
   const request_cookie_fetch_response =
     await fetch(helper_url + `&action=get-cookie`);
@@ -34,7 +34,38 @@
   const request_cookie_text = await request_cookie_fetch_response.text();
 
   assert_equals(request_cookie_text, "key0=1");
-}, 'createWorklet() with cross-origin module script and credentials "include"');
+}
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletIncludeCredentials(
+      helper_url_params, /*data_origin_option=*/'');
+}, 'createWorklet() with cross-origin module script, credentials "include",'
+   + 'and default data origin (context origin).');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletIncludeCredentials(
+      helper_url_params, /*data_origin_option=*/'context-origin');
+}, 'createWorklet() with cross-origin module script, credentials "include",'
+   + 'and "context-origin" as dataOrigin.');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true` +
+      `&shared_storage_cross_origin_worklet_allowed_header=?1`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletIncludeCredentials(
+      helper_url_params, /*data_origin_option=*/'script-origin');
+}, 'createWorklet() with cross-origin module script, credentials "include",'
+   + 'and "script-origin" as dataOrigin.');
 
 </script>
 </body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-omit.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-omit.tentative.https.sub.html
index 86b56ce80d6a1..4f23e2f8de322 100644
--- a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-omit.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-omit.tentative.https.sub.html
@@ -9,7 +9,8 @@
 <script>
 'use strict';
 
-promise_test(async () => {
+async function verifyStoreCookieCrossOriginCreateWorkletOmitCredentials(
+    helper_url_params, data_origin_option) {
   const ancestor_key = token();
   const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
   const set_cookie_url = crossOrigin + `/cookies/resources/set-cookie.py` +
@@ -17,15 +18,15 @@
                          `&path=/shared-storage/`;
   const helper_url = crossOrigin +
                      `/shared-storage/resources/credentials-test-helper.py` +
-                     `?access_control_allow_origin_header=${window.origin}` +
-                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
-                     `&token=${ancestor_key}`;
+                     helper_url_params + `&token=${ancestor_key}`;
 
   await fetch(set_cookie_url, { mode: 'no-cors', credentials: 'include' });
 
+  const options = (data_origin_option === '') ? { credentials: "omit" }
+        : { credentials: "omit", dataOrigin: data_origin_option };
+
   const worklet = await sharedStorage.createWorklet(
-    helper_url + `&action=store-cookie`,
-    { credentials: "omit" });
+    helper_url + `&action=store-cookie`, options);
 
   const request_cookie_fetch_response =
     await fetch(helper_url + `&action=get-cookie`);
@@ -33,7 +34,38 @@
   const request_cookie_text = await request_cookie_fetch_response.text();
 
   assert_equals(request_cookie_text, "NO_COOKIE_HEADER");
-}, 'createWorklet() with cross-origin module script and credentials "omit"');
+}
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletOmitCredentials(
+      helper_url_params, /*data_origin_option=*/'');
+}, 'createWorklet() with cross-origin module script, credentials "omit",'
+   + 'and default data origin (context origin).');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletOmitCredentials(
+      helper_url_params, /*data_origin_option=*/'context-origin');
+}, 'createWorklet() with cross-origin module script, credentials "omit",'
+   + 'and "context-origin" as dataOrigin.');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true` +
+      `&shared_storage_cross_origin_worklet_allowed_header=?1`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletOmitCredentials(
+      helper_url_params, /*data_origin_option=*/'script-origin');
+}, 'createWorklet() with cross-origin module script, credentials "omit",'
+   + 'and "script-origin" as dataOrigin.');
 
 </script>
 </body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-same-origin.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-same-origin.tentative.https.sub.html
index 0b8faad783001..bda5da10dbecb 100644
--- a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-same-origin.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-credentials-same-origin.tentative.https.sub.html
@@ -9,7 +9,8 @@
 <script>
 'use strict';
 
-promise_test(async () => {
+async function verifyStoreCookieCrossOriginCreateWorkletSameOriginCredentials(
+    helper_url_params, data_origin_option) {
   const ancestor_key = token();
   const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
   const set_cookie_url = crossOrigin + `/cookies/resources/set-cookie.py` +
@@ -17,15 +18,15 @@
                          `&path=/shared-storage/`;
   const helper_url = crossOrigin +
                      `/shared-storage/resources/credentials-test-helper.py` +
-                     `?access_control_allow_origin_header=${window.origin}` +
-                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
-                     `&token=${ancestor_key}`;
+                     helper_url_params + `&token=${ancestor_key}`;
 
   await fetch(set_cookie_url, { mode: 'no-cors', credentials: 'include' });
 
+  const options = (data_origin_option === '') ? { credentials: "same-origin" }
+        : { credentials: "same-origin", dataOrigin: data_origin_option };
+
   const worklet = await sharedStorage.createWorklet(
-    helper_url + `&action=store-cookie`,
-    { credentials: "same-origin" });
+    helper_url + `&action=store-cookie`, options);
 
   const request_cookie_fetch_response =
     await fetch(helper_url + `&action=get-cookie`);
@@ -33,7 +34,38 @@
   const request_cookie_text = await request_cookie_fetch_response.text();
 
   assert_equals(request_cookie_text, "NO_COOKIE_HEADER");
-}, 'createWorklet() with cross-origin module script and credentials "same-origin"');
+}
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletSameOriginCredentials(
+      helper_url_params, /*data_origin_option=*/'');
+}, 'createWorklet() with cross-origin module script, credentials "same-origin",'
+   + 'and default data origin (context origin).');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletSameOriginCredentials(
+      helper_url_params, /*data_origin_option=*/'context-origin');
+}, 'createWorklet() with cross-origin module script, credentials "same-origin",'
+   + 'and "context-origin" as dataOrigin.');
+
+promise_test(async () => {
+  const helper_url_params =
+      `?access_control_allow_origin_header=${window.origin}` +
+      `&access_control_allow_credentials_header=true` +
+      `&shared_storage_cross_origin_worklet_allowed_header=?1`;
+
+  await verifyStoreCookieCrossOriginCreateWorkletSameOriginCredentials(
+      helper_url_params, /*data_origin_option=*/'script-origin');
+}, 'createWorklet() with cross-origin module script, credentials "same-origin",'
+   + 'and "script-origin" as dataOrigin.');
 
 </script>
 </body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-false-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-false-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
deleted file mode 100644
index db361776f6387..0000000000000
--- a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-false-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
+++ /dev/null
@@ -1,31 +0,0 @@
-<!doctype html>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/common/utils.js"></script>
-<script src="/shared-storage/resources/util.js"></script>
-<script src="/fenced-frame/resources/utils.js"></script>
-
-<body>
-<script>
-'use strict';
-
-promise_test(async t => {
-  const ancestor_key = token();
-  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
-  const helper_url = crossOrigin +
-                     `/shared-storage/resources/credentials-test-helper.py` +
-                     `?access_control_allow_origin_header=${window.origin}` +
-                     `&access_control_allow_credentials_header=true` +
-                     `&shared_storage_cross_origin_worklet_allowed_header=?0` +
-                     `&token=${ancestor_key}`;
-
-  return promise_rejects_dom(t, "OperationError",
-    sharedStorage.createWorklet(
-      helper_url + `&action=store-cookie`,
-      { credentials: "include" }));
-}, 'createWorklet() with cross-origin module script and credentials ' +
-   '"include", and with the Shared-Storage-Cross-Origin-Worklet-Allowed ' +
-   'response header value set to false (?0)');
-
-</script>
-</body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-credentials.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-credentials.tentative.https.sub.html
index 8887aad64dc72..49ffe8e84264c 100644
--- a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-credentials.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-credentials.tentative.https.sub.html
@@ -9,22 +9,53 @@
 <script>
 'use strict';
 
+const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+
 promise_test(async t => {
   const ancestor_key = token();
-  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
   const helper_url = crossOrigin +
                      `/shared-storage/resources/credentials-test-helper.py` +
                      `?access_control_allow_origin_header=${window.origin}` +
-                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
                      `&token=${ancestor_key}`;
 
   return promise_rejects_dom(t, "OperationError",
     sharedStorage.createWorklet(
       helper_url + `&action=store-cookie`,
       { credentials: "include" }));
-}, 'createWorklet() with cross-origin module script and credentials ' +
-   '"include", and without the Access-Control-Allow-Credentials response ' +
-   'header');
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", default data origin (context origin), and without the ' +
+   'Access-Control-Allow-Credentials response header');
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&token=${ancestor_key}`;
+
+  return promise_rejects_dom(t, "OperationError",
+    sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include", dataOrigin: "context-origin" }));
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", "context-origin" as dataOrigin, and without the ' +
+   'Access-Control-Allow-Credentials response header');
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
+                     `&token=${ancestor_key}`;
+
+  return promise_rejects_dom(t, "OperationError",
+    sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include", dataOrigin: "script-origin" }));
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", "script-origin" as dataOrigin, and without the ' +
+   'Access-Control-Allow-Credentials response header');
 
 </script>
 </body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-origin.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-origin.tentative.https.sub.html
index 58a2f3a77bbfb..e3154fd191e51 100644
--- a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-origin.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-access-control-allow-origin.tentative.https.sub.html
@@ -9,21 +9,53 @@
 <script>
 'use strict';
 
+const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+
 promise_test(async t => {
   const ancestor_key = token();
-  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
   const helper_url = crossOrigin +
                      `/shared-storage/resources/credentials-test-helper.py` +
                      `&access_control_allow_credentials_header=true` +
-                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
                      `&token=${ancestor_key}`;
 
   return promise_rejects_dom(t, "OperationError",
     sharedStorage.createWorklet(
       helper_url + `&action=store-cookie`,
       { credentials: "include" }));
-}, 'createWorklet() with cross-origin module script and credentials ' +
-   '"include", and without the Access-Control-Allow-Origin response header');
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", default data origin (context origin), and without ' +
+   'Access-Control-Allow-Origin response header');
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `&access_control_allow_credentials_header=true` +
+                     `&token=${ancestor_key}`;
+
+  return promise_rejects_dom(t, "OperationError",
+    sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include", dataOrigin: "context-origin" }));
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", "context-origin" as dataOrigin, and without the ' +
+   'Access-Control-Allow-Origin response header');
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const helper_url = crossOrigin +
+                     `/shared-storage/resources/credentials-test-helper.py` +
+                     `&access_control_allow_credentials_header=true` +
+                     `&shared_storage_cross_origin_worklet_allowed_header=?1` +
+                     `&token=${ancestor_key}`;
+
+  return promise_rejects_dom(t, "OperationError",
+    sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include", dataOrigin: "script-origin" }));
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", "script-origin" as dataOrigin, and without the ' +
+   'Access-Control-Allow-Origin response header');
 
 </script>
 </body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
deleted file mode 100644
index 5b140a8141c96..0000000000000
--- a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-failure-missing-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
+++ /dev/null
@@ -1,30 +0,0 @@
-<!doctype html>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/common/utils.js"></script>
-<script src="/shared-storage/resources/util.js"></script>
-<script src="/fenced-frame/resources/utils.js"></script>
-
-<body>
-<script>
-'use strict';
-
-promise_test(async t => {
-  const ancestor_key = token();
-  const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
-  const helper_url = crossOrigin +
-                     `/shared-storage/resources/credentials-test-helper.py` +
-                     `?access_control_allow_origin_header=${window.origin}` +
-                     `&access_control_allow_credentials_header=true` +
-                     `&token=${ancestor_key}`;
-
-  return promise_rejects_dom(t, "OperationError",
-    sharedStorage.createWorklet(
-      helper_url + `&action=store-cookie`,
-      { credentials: "include" }));
-}, 'createWorklet() with cross-origin module script and credentials ' +
-   '"include", and without the Shared-Storage-Cross-Origin-Worklet-Allowed ' +
-   'response header');
-
-</script>
-</body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-false-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-false-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
new file mode 100644
index 0000000000000..0b8f8b9e23d77
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-false-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
@@ -0,0 +1,66 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/shared-storage/resources/util.js"></script>
+<script src="/fenced-frame/resources/utils.js"></script>
+
+<body>
+<script>
+'use strict';
+
+const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+const helperUrlBase = crossOrigin +
+      `/shared-storage/resources/credentials-test-helper.py`;
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const helper_url =  helperUrlBase +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&access_control_allow_credentials_header=true` +
+                     `&shared_storage_cross_origin_worklet_allowed_header=?0` +
+                     `&token=${ancestor_key}`;
+
+   await sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include" });
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", default data origin (context origin), and with the ' +
+   'Shared-Storage-Cross-Origin-Worklet-Allowed response header value ' +
+   'set to false (?0)');
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const helper_url = helperUrlBase +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&access_control_allow_credentials_header=true` +
+                     `&shared_storage_cross_origin_worklet_allowed_header=?0` +
+                     `&token=${ancestor_key}`;
+
+  await sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+        { credentials: "include", dataOrigin: "context-origin" });
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", "context-origin" as dataOrigin, and with the ' +
+   'Shared-Storage-Cross-Origin-Worklet-Allowed response header value ' +
+   'set to false (?0)');
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const helper_url = helperUrlBase +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&access_control_allow_credentials_header=true` +
+                     `&shared_storage_cross_origin_worklet_allowed_header=?0` +
+                     `&token=${ancestor_key}`;
+
+  return promise_rejects_dom(t, "OperationError",
+    sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include", dataOrigin: "script-origin" }));
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", "script-origin" as dataOrigin, and with the ' +
+   'Shared-Storage-Cross-Origin-Worklet-Allowed response header value ' +
+   'set to false (?0)');
+
+</script>
+</body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-missing-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-missing-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
new file mode 100644
index 0000000000000..fe7333a6360be
--- /dev/null
+++ b/testing/web-platform/tests/shared-storage/cross-origin-create-worklet-missing-shared-storage-cross-origin-worklet-allowed.tentative.https.sub.html
@@ -0,0 +1,60 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/shared-storage/resources/util.js"></script>
+<script src="/fenced-frame/resources/utils.js"></script>
+
+<body>
+<script>
+'use strict';
+
+const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
+const helperUrlBase = crossOrigin +
+      `/shared-storage/resources/credentials-test-helper.py`;
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const helper_url =  helperUrlBase +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&access_control_allow_credentials_header=true` +
+                     `&token=${ancestor_key}`;
+
+   await sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+      { credentials: "include" });
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", default data origin (context origin), and without the ' +
+   'Shared-Storage-Cross-Origin-Worklet-Allowed response header');
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const helper_url = helperUrlBase +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&access_control_allow_credentials_header=true` +
+                     `&token=${ancestor_key}`;
+
+  await sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+        { credentials: "include", dataOrigin: "context-origin" });
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", "context-origin" as dataOrigin, and without the ' +
+   'Shared-Storage-Cross-Origin-Worklet-Allowed response header');
+
+promise_test(async t => {
+  const ancestor_key = token();
+  const helper_url = helperUrlBase +
+                     `?access_control_allow_origin_header=${window.origin}` +
+                     `&access_control_allow_credentials_header=true` +
+                     `&token=${ancestor_key}`;
+
+  return promise_rejects_dom(t, "OperationError",
+    sharedStorage.createWorklet(
+      helper_url + `&action=store-cookie`,
+        { credentials: "include", dataOrigin: "script-origin" }));
+}, 'createWorklet() with cross-origin module script, credentials ' +
+   '"include", "script-origin" as dataOrigin, and without the ' +
+   'Shared-Storage-Cross-Origin-Worklet-Allowed response header');
+
+</script>
+</body>
diff --git a/testing/web-platform/tests/shared-storage/cross-origin-worklet-select-url-and-verify-data-origin.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/cross-origin-worklet-select-url-and-verify-data-origin.tentative.https.sub.html
index 5b6b9d5f8f5b5..bc78433d8e906 100644
--- a/testing/web-platform/tests/shared-storage/cross-origin-worklet-select-url-and-verify-data-origin.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/cross-origin-worklet-select-url-and-verify-data-origin.tentative.https.sub.html
@@ -9,14 +9,15 @@
 <script>
 'use strict';
 
-promise_test(async () => {
+async function createWorkletThenSelectUrlAndVerifyDataOrigin(data_origin_value) {
   const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
   const script_url = crossOrigin +
                      `/shared-storage/resources/simple-module.js`;
 
-  const worklet = await sharedStorage.createWorklet(
-    script_url,
-    { credentials: "omit" });
+    const options = (data_origin_value === '') ? { credentials: "omit" } :
+          { credentials: "omit", dataOrigin: data_origin_value };
+
+  const worklet = await sharedStorage.createWorklet(script_url, options);
 
   const ancestor_key = token();
   let url0 = generateURL("/shared-storage/resources/frame0.html",
@@ -39,8 +40,27 @@
   const result0 = await nextValueFromServer(ancestor_key);
   assert_equals(result0, "frame0_loaded");
 
-  await verifyKeyValueForOrigin('key0', 'value0', crossOrigin);
-}, 'For a cross-origin worklet, test selectURL() and verify its data origin');
+  const expectedDataOrigin = (data_origin_value === 'script-origin') ?
+        crossOrigin : location.origin;
+  await verifyKeyValueForOrigin('key0', 'value0', expectedDataOrigin);
+}
+
+promise_test(async () => {
+  await createWorkletThenSelectUrlAndVerifyDataOrigin(/*data_origin_value=*/'');
+}, 'For a cross-origin worklet with default data origin, test selectURL() ' +
+   'and verify its data origin');
+
+promise_test(async () => {
+  await createWorkletThenSelectUrlAndVerifyDataOrigin(
+        /*data_origin_value=*/'context-origin');
+}, 'For a cross-origin worklet with dataOrigin "context-origin", test ' +
+   'selectURL() and verify its data origin');
+
+promise_test(async () => {
+  await createWorkletThenSelectUrlAndVerifyDataOrigin(
+        /*data_origin_value=*/'script-origin');
+}, 'For a cross-origin worklet with dataOrigin "script-origin", test ' +
+   'selectURL() and verify its data origin');
 
 </script>
 </body>
diff --git a/testing/web-platform/tests/shared-storage/resources/cross-origin-worklet-in-sandboxed-frame-inner.https.sub.html b/testing/web-platform/tests/shared-storage/resources/cross-origin-worklet-in-sandboxed-frame-inner.https.sub.html
index 498fda3078099..f5e41c84d5575 100644
--- a/testing/web-platform/tests/shared-storage/resources/cross-origin-worklet-in-sandboxed-frame-inner.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/resources/cross-origin-worklet-in-sandboxed-frame-inner.https.sub.html
@@ -22,7 +22,7 @@
 
   const worklet = await sharedStorage.createWorklet(
     script_url,
-    { credentials: "omit" });
+    { credentials: "omit", dataOrigin: "script-origin" });
 
   let url0 = generateURL("/shared-storage/resources/frame0.html",
                          [ancestor_token]);
@@ -48,4 +48,4 @@
 test();
 
 </script>
-</body>
\ No newline at end of file
+</body>
diff --git a/testing/web-platform/tests/shared-storage/resources/util.sub.js b/testing/web-platform/tests/shared-storage/resources/util.sub.js
index dc1ec780a2400..a5511a96800ea 100644
--- a/testing/web-platform/tests/shared-storage/resources/util.sub.js
+++ b/testing/web-platform/tests/shared-storage/resources/util.sub.js
@@ -126,9 +126,12 @@ async function testCreateWorkletWithDataOption(
   const scriptOrigin = is_same_origin_script ? sameOrigin : crossOrigin;
   const scriptUrl = is_same_origin_script ? sameOriginScriptUrl :
                                             crossOrigin + sameOriginScriptUrl;
+  const dataOrigin =
+      (data_origin === 'script-origin') ? scriptOrigin : sameOrigin;
+  let success = false;
+  let error = null;
 
   try {
-    // Currently the `dataOrigin` option is not hooked up.
     const worklet = await sharedStorage.createWorklet(
         scriptUrl, {credentials: 'omit', dataOrigin: data_origin});
 
@@ -148,14 +151,17 @@ async function testCreateWorkletWithDataOption(
     const result0 = await nextValueFromServer(ancestor_key);
     assert_equals(result0, 'frame0_loaded');
 
-    await verifyKeyValueForOrigin(key, value, scriptOrigin);
-    await deleteKeyForOrigin(key, scriptOrigin);
-    assert_true(expect_success, 'no error caught even though one was expected');
+    await verifyKeyValueForOrigin(key, value, dataOrigin);
+    await deleteKeyForOrigin(key, dataOrigin);
+    success = true;
   } catch (e) {
-    assert_false(
-        expect_success, 'expected success but error thrown: ' + e.toString());
+    error = e;
     assert_equals(e.name, 'TypeError');
   } finally {
+    assert_equals(
+        expect_success, success,
+        error ? 'expected success but error thrown: ' + error.toString() :
+                'no error caught even though one was expected');
     test.done();
   }
 }
diff --git a/testing/web-platform/tests/shared-storage/resources/verify-shared-storage.https.html b/testing/web-platform/tests/shared-storage/resources/verify-shared-storage.https.html
index c2d75ddf85299..cc4440df7d8e3 100644
--- a/testing/web-platform/tests/shared-storage/resources/verify-shared-storage.https.html
+++ b/testing/web-platform/tests/shared-storage/resources/verify-shared-storage.https.html
@@ -11,6 +11,9 @@
       await sharedStorage.set('key0', 'key1');
     } else if (method == 'createWorklet') {
       await sharedStorage.createWorklet('simple-module.js')
+    } else if (method == 'createWorkletScriptOrigin') {
+      await sharedStorage.createWorklet('simple-module.js',
+                                        { dataOrigin: 'script-origin' })
     } else if (method == 'addModule') {
       await sharedStorage.worklet.addModule('simple-module.js')
     }
diff --git a/testing/web-platform/tests/shared-storage/select-url-permissions-policy-default.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/select-url-permissions-policy-default.tentative.https.sub.html
index a5be825d0e80f..6bb6dde4a0768 100644
--- a/testing/web-platform/tests/shared-storage/select-url-permissions-policy-default.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/select-url-permissions-policy-default.tentative.https.sub.html
@@ -30,7 +30,7 @@
     promise_test(async t => {
       const worklet = await sharedStorage.createWorklet(
         cross_origin_script,
-        { credentials: "omit" });
+        { credentials: "omit", dataOrigin: "script-origin" });
 
       await worklet.selectURL("operation", [{url: "1.html"}]);
     }, header + ' allows selectURL() on a cross-origin worklet');
diff --git a/testing/web-platform/tests/shared-storage/select-url-permissions-policy-none.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/select-url-permissions-policy-none.tentative.https.sub.html
index 6b48036fadb08..caaa1285e7649 100644
--- a/testing/web-platform/tests/shared-storage/select-url-permissions-policy-none.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/select-url-permissions-policy-none.tentative.https.sub.html
@@ -31,7 +31,7 @@
     promise_test(async t => {
       const worklet = await sharedStorage.createWorklet(
         cross_origin_script,
-        { credentials: "omit" });
+        { credentials: "omit", dataOrigin: "script-origin" });
 
       return promise_rejects_dom(t, "InvalidAccessError",
         worklet.selectURL("operation", [{url: "1.html"}]));
diff --git a/testing/web-platform/tests/shared-storage/select-url-permissions-policy-self.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/select-url-permissions-policy-self.tentative.https.sub.html
index 71d5653a2d180..86414c2c9daac 100644
--- a/testing/web-platform/tests/shared-storage/select-url-permissions-policy-self.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/select-url-permissions-policy-self.tentative.https.sub.html
@@ -30,7 +30,7 @@
     promise_test(async t => {
       const worklet = await sharedStorage.createWorklet(
         cross_origin_script,
-        { credentials: "omit" });
+        { credentials: "omit", dataOrigin: "script-origin" });
 
       return promise_rejects_dom(t, "InvalidAccessError",
         worklet.selectURL("operation", [{url: "1.html"}]));
diff --git a/testing/web-platform/tests/shared-storage/shared-storage-in-sandboxed-iframe.tentative.https.html b/testing/web-platform/tests/shared-storage/shared-storage-in-sandboxed-iframe.tentative.https.html
index 537f2e99d3850..c0accefc4971b 100644
--- a/testing/web-platform/tests/shared-storage/shared-storage-in-sandboxed-iframe.tentative.https.html
+++ b/testing/web-platform/tests/shared-storage/shared-storage-in-sandboxed-iframe.tentative.https.html
@@ -52,9 +52,23 @@
       test_shared_storage_in_sandboxed_iframe(t,
         /*sandbox_flags=*/'allow-scripts',
         /*method=*/'createWorklet',
-        /*expect_success=*/true);
+        /*expect_success=*/false);
     }, 'test sharedStorage.createWorklet() in sandboxed iframe without "allow-same-origin"');
 
+    async_test(t => {
+      test_shared_storage_in_sandboxed_iframe(t,
+        /*sandbox_flags=*/'allow-scripts allow-same-origin',
+        /*method=*/'createWorkletScriptOrigin',
+        /*expect_success=*/true);
+    }, 'test sharedStorage.createWorklet() with dataOrigin "script-origin" in sandboxed iframe with "allow-same-origin"');
+
+    async_test(t => {
+      test_shared_storage_in_sandboxed_iframe(t,
+        /*sandbox_flags=*/'allow-scripts',
+        /*method=*/'createWorkletScriptOrigin',
+        /*expect_success=*/true);
+    }, 'test sharedStorage.createWorklet() with dataOrigin "script-origin" in sandboxed iframe without "allow-same-origin"');
+
     async_test(t => {
       test_shared_storage_in_sandboxed_iframe(t,
         /*sandbox_flags=*/'allow-scripts allow-same-origin',
diff --git a/testing/web-platform/tests/shared-storage/shared-storage-permissions-policy-default.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/shared-storage-permissions-policy-default.tentative.https.sub.html
index d0ff76a61efd1..a0560765414af 100644
--- a/testing/web-platform/tests/shared-storage/shared-storage-permissions-policy-default.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/shared-storage-permissions-policy-default.tentative.https.sub.html
@@ -27,7 +27,7 @@
     promise_test(async t => {
       const worklet = await sharedStorage.createWorklet(
         cross_origin_script,
-        { credentials: "omit" });
+        { credentials: "omit", dataOrigin: "script-origin" });
     }, header + ' allows sharedStorage.createWorklet() with cross-origin script');
 
     async_test(t => {
diff --git a/testing/web-platform/tests/shared-storage/shared-storage-permissions-policy-none.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/shared-storage-permissions-policy-none.tentative.https.sub.html
index c3cd3b1b47851..e23174d6b9603 100644
--- a/testing/web-platform/tests/shared-storage/shared-storage-permissions-policy-none.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/shared-storage-permissions-policy-none.tentative.https.sub.html
@@ -29,7 +29,7 @@
       return promise_rejects_dom(t, "InvalidAccessError",
         sharedStorage.createWorklet(
             cross_origin_script,
-            { credentials: "omit" }));
+            { credentials: "omit", dataOrigin: "script-origin" }));
     }, header + ' disallows sharedStorage.createWorklet() with cross-origin script');
 
     async_test(t => {
diff --git a/testing/web-platform/tests/shared-storage/shared-storage-permissions-policy-self.tentative.https.sub.html b/testing/web-platform/tests/shared-storage/shared-storage-permissions-policy-self.tentative.https.sub.html
index 9c45e86b67ab8..e976be94335d6 100644
--- a/testing/web-platform/tests/shared-storage/shared-storage-permissions-policy-self.tentative.https.sub.html
+++ b/testing/web-platform/tests/shared-storage/shared-storage-permissions-policy-self.tentative.https.sub.html
@@ -28,7 +28,7 @@
       return promise_rejects_dom(t, "InvalidAccessError",
         sharedStorage.createWorklet(
             cross_origin_script,
-            { credentials: "omit" }));
+            { credentials: "omit", dataOrigin: "script-origin" }));
     }, header + ' disallows sharedStorage.createWorklet() with cross-origin script');
 
     async_test(t => {