diff --git a/fetch.js b/fetch.js
index 475f6e36..b6b53c0a 100644
--- a/fetch.js
+++ b/fetch.js
@@ -135,7 +135,7 @@
     options = options || {}
     this.url = url
     this._body = options.body
-    this.credentials = options.credentials || null
+    this.credentials = options.credentials || 'omit'
     this.headers = new Headers(options.headers)
     this.method = normalizeMethod(options.method || 'GET')
     this.mode = options.mode || null
@@ -225,4 +225,5 @@
   self.fetch = function (url, options) {
     return new Request(url, options).fetch()
   }
+  self.fetch.polyfill = true
 })();
diff --git a/test/server.js b/test/server.js
index cf691c10..afc091b1 100755
--- a/test/server.js
+++ b/test/server.js
@@ -5,6 +5,7 @@ var port = Number(process.argv[2] || 3000)
 var fs = require('fs')
 var http = require('http');
 var url = require('url');
+var querystring = require('querystring');
 
 var routes = {
   '/request': function(res, req) {
@@ -70,6 +71,18 @@ var routes = {
     res.writeHead(200, {'Content-Type': 'application/json'});
     res.end('not json {');
   },
+  '/cookie': function(res, req) {
+    var setCookie, cookie
+    var params = querystring.parse(url.parse(req.url).query);
+    if (params.value && params.value) {
+      setCookie = [params.name, params.value].join('=');
+    }
+    if (params.name) {
+      cookie = querystring.parse(req.headers['cookie'], '; ')[params.name];
+    }
+    res.writeHead(200, {'Content-Type': 'text/plain', 'Set-Cookie': setCookie});
+    res.end(cookie);
+  },
   '/headers': function(res) {
     res.writeHead(200, {
       'Date': 'Mon, 13 Oct 2014 21:02:27 GMT',
diff --git a/test/test.js b/test/test.js
index 04dcd42d..3574daf8 100644
--- a/test/test.js
+++ b/test/test.js
@@ -283,3 +283,64 @@ suite('Atomic HTTP redirect handling', function() {
     })
   })
 })
+
+// https://fetch.spec.whatwg.org/#concept-request-credentials-mode
+suite('credentials mode', function() {
+  var omitSupported = !self.fetch.polyfill
+
+  ;(omitSupported ? suite : suite.skip)('omit', function() {
+    test('request credentials defaults to omit', function() {
+      var request = new Request('')
+      assert.equal(request.credentials, 'omit')
+    })
+
+    test('does not send cookies with implicit omit credentials', function() {
+      return fetch('/cookie?name=foo&value=bar').then(function() {
+        return fetch('/cookie?name=foo');
+      }).then(function(response) {
+        return response.text()
+      }).then(function(data) {
+        assert.equal(data, '')
+      })
+    })
+
+    test('does not send cookies with omit credentials', function() {
+      return fetch('/cookie?name=foo&value=bar').then(function() {
+        return fetch('/cookie?name=foo', {credentials: 'omit'})
+      }).then(function(response) {
+        return response.text()
+      }).then(function(data) {
+        assert.equal(data, '')
+      })
+    })
+  })
+
+  suite('same-origin', function() {
+    test('request credentials uses inits member', function() {
+      var request = new Request('', {credentials: 'same-origin'})
+      assert.equal(request.credentials, 'same-origin')
+    })
+
+    test('send cookies with same-origin credentials', function() {
+      return fetch('/cookie?name=foo&value=bar').then(function() {
+        return fetch('/cookie?name=foo', {credentials: 'same-origin'})
+      }).then(function(response) {
+        return response.text()
+      }).then(function(data) {
+        assert.equal(data, 'bar')
+      })
+    })
+  })
+
+  suite('include', function() {
+    test('send cookies with include credentials', function() {
+      return fetch('/cookie?name=foo&value=bar').then(function() {
+        return fetch('/cookie?name=foo', {credentials: 'include'})
+      }).then(function(response) {
+        return response.text()
+      }).then(function(data) {
+        assert.equal(data, 'bar')
+      })
+    })
+  })
+})