diff --git a/fetch/api/cors/cors-expose-star-worker.html b/fetch/api/cors/cors-expose-star-worker.html
new file mode 100644
index 00000000000000..db9b94320cfe56
--- /dev/null
+++ b/fetch/api/cors/cors-expose-star-worker.html
@@ -0,0 +1,14 @@
+
+
+
+
+ Fetch in worker: Access-Control-Expose-Headers: *
+
+
+
+
+
+
+
diff --git a/fetch/api/cors/cors-expose-star.html b/fetch/api/cors/cors-expose-star.html
new file mode 100644
index 00000000000000..37223bdaaa64a1
--- /dev/null
+++ b/fetch/api/cors/cors-expose-star.html
@@ -0,0 +1,13 @@
+
+
+
+
+ Fetch: Access-Control-Expose-Headers: *
+
+
+
+
+
+
+
+
diff --git a/fetch/api/cors/cors-expose-star.js b/fetch/api/cors/cors-expose-star.js
new file mode 100644
index 00000000000000..90a9351d1e8623
--- /dev/null
+++ b/fetch/api/cors/cors-expose-star.js
@@ -0,0 +1,31 @@
+if (this.document === undefined) {
+ importScripts("/resources/testharness.js");
+ importScripts("../resources/utils.js");
+}
+
+const url = "http://{{host}}:{{ports[http][1]}}" + dirname(location.pathname) + RESOURCES_DIR + "top.txt",
+ sharedHeaders = "?pipe=header(Access-Control-Expose-Headers,*)|header(Test,X)|header(Set-Cookie,X)|"
+
+promise_test(() => {
+ const headers = "header(Access-Control-Allow-Origin,*)"
+ return fetch(url + sharedHeaders + headers).then(resp => {
+ assert_equals(resp.status, 200)
+ assert_equals(resp.type , "cors")
+ assert_equals(resp.headers.get("test"), "X")
+ assert_equals(resp.headers.get("set-cookie"), null)
+ })
+}, "Basic Access-Control-Expose-Headers: * support")
+
+promise_test(() => {
+ const origin = location.origin, // assuming an ASCII origin
+ headers = "header(Access-Control-Allow-Origin," + origin + ")|header(Access-Control-Allow-Credentials,true)"
+ return fetch(url + sharedHeaders + headers, { credentials:"include" }).then(resp => {
+ assert_equals(resp.status, 200)
+ assert_equals(resp.type , "cors")
+ assert_equals(resp.headers.get("content-type"), "text/plain") // safelisted
+ assert_equals(resp.headers.get("test"), null)
+ assert_equals(resp.headers.get("set-cookie"), null)
+ })
+}, "Cannot use * for credentialed fetches")
+
+done();