diff --git a/fetch/api/cors/cors-expose-star-worker.html b/fetch/api/cors/cors-expose-star-worker.html
new file mode 100644
index 00000000000000..db9b94320cfe56
--- /dev/null
+++ b/fetch/api/cors/cors-expose-star-worker.html
@@ -0,0 +1,14 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Fetch in worker: Access-Control-Expose-Headers: *</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+  </head>
+  <body>
+    <script>
+      fetch_tests_from_worker(new Worker("cors-expose-star.js?pipe=sub"));
+    </script>
+  </body>
+</html>
diff --git a/fetch/api/cors/cors-expose-star.html b/fetch/api/cors/cors-expose-star.html
new file mode 100644
index 00000000000000..37223bdaaa64a1
--- /dev/null
+++ b/fetch/api/cors/cors-expose-star.html
@@ -0,0 +1,13 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Fetch: Access-Control-Expose-Headers: *</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+  </head>
+  <body>
+    <script src="../resources/utils.js"></script>
+    <script src="cors-expose-star.js?pipe=sub"></script>
+  </body>
+</html>
diff --git a/fetch/api/cors/cors-expose-star.js b/fetch/api/cors/cors-expose-star.js
new file mode 100644
index 00000000000000..90a9351d1e8623
--- /dev/null
+++ b/fetch/api/cors/cors-expose-star.js
@@ -0,0 +1,31 @@
+if (this.document === undefined) {
+  importScripts("/resources/testharness.js");
+  importScripts("../resources/utils.js");
+}
+
+const url = "http://{{host}}:{{ports[http][1]}}" + dirname(location.pathname) + RESOURCES_DIR + "top.txt",
+      sharedHeaders = "?pipe=header(Access-Control-Expose-Headers,*)|header(Test,X)|header(Set-Cookie,X)|"
+
+promise_test(() => {
+  const headers = "header(Access-Control-Allow-Origin,*)"
+  return fetch(url + sharedHeaders + headers).then(resp => {
+    assert_equals(resp.status, 200)
+    assert_equals(resp.type , "cors")
+    assert_equals(resp.headers.get("test"), "X")
+    assert_equals(resp.headers.get("set-cookie"), null)
+  })
+}, "Basic Access-Control-Expose-Headers: * support")
+
+promise_test(() => {
+  const origin = location.origin, // assuming an ASCII origin
+        headers = "header(Access-Control-Allow-Origin," + origin + ")|header(Access-Control-Allow-Credentials,true)"
+  return fetch(url + sharedHeaders + headers, { credentials:"include" }).then(resp => {
+    assert_equals(resp.status, 200)
+    assert_equals(resp.type , "cors")
+    assert_equals(resp.headers.get("content-type"), "text/plain") // safelisted
+    assert_equals(resp.headers.get("test"), null)
+    assert_equals(resp.headers.get("set-cookie"), null)
+  })
+}, "Cannot use * for credentialed fetches")
+
+done();