diff --git a/content-security-policy/sandbox/meta-element.sub.html b/content-security-policy/sandbox/meta-element.sub.html
new file mode 100644
index 00000000000000..a681fa4c2a6904
--- /dev/null
+++ b/content-security-policy/sandbox/meta-element.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta content="sandbox allow-scripts" http-equiv="Content-Security-Policy">
+<body>
+<script>
+// According to
+// https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-content-security-policy
+// `sandbox` directives must be ignored when delivered via `<meta>`.
+test(() => {
+  assert_equals(location.origin, "{{location[scheme]}}://{{location[host]}}");
+}, "Document shouldn't be sandboxed by <meta>");
+
+async_test(t => {
+  const worker = new Worker("support/post-origin-on-load-worker.js");
+  worker.onerror = t.unreached_func("Worker construction failed");
+  worker.onmessage = t.step_func_done(e => {
+    assert_equals(e.data, "{{location[scheme]}}://{{location[host]}}");
+  });
+}, "Worker shouldn't be sandboxed by inheriting <meta>");
+</script>
+</body>
diff --git a/content-security-policy/sandbox/service-worker-sandbox.https.html b/content-security-policy/sandbox/service-worker-sandbox.https.html
new file mode 100644
index 00000000000000..00d750f83e65d5
--- /dev/null
+++ b/content-security-policy/sandbox/service-worker-sandbox.https.html
@@ -0,0 +1,75 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script>
+<body>
+<script>
+let frame = null;
+let worker = null;
+const scope = 'support/empty.html';
+const script = 'support/sandboxed-service-worker.js';
+
+// Global setup: this must be the first promise_test.
+promise_test(async (t) => {
+  const registration =
+      await service_worker_unregister_and_register(t, script, scope);
+  worker = registration.installing;
+  await wait_for_state(t, worker, 'activated');
+  frame = await with_iframe(scope);
+}, 'global setup');
+
+promise_test(async (t) => {
+  const r = await frame.contentWindow.fetch('/get-origin', {mode: 'cors'});
+  const j = await r.json();
+  assert_equals(j.origin, 'null', 'Origin should be opaque');
+}, 'Origin of sandboxed service worker');
+
+promise_test(async (t) => {
+  const r = await frame.contentWindow.fetch('/get-origin', {mode: 'same-origin'});
+  const j = await r.json();
+  assert_equals(j.origin, 'null', 'Origin should be opaque');
+}, 'Response generated by sandboxed service worker can be fetched as same-origin');
+
+promise_test(t => {
+  return promise_rejects_js(
+      t,
+      frame.contentWindow.TypeError,
+      frame.contentWindow.fetch(
+        '/fetch?url=' + encodeURIComponent(location.origin + '/fetch/api/resources/top.txt?hash=' + Math.random()),
+        {mode: 'same-origin'}));
+}, 'Fetch by sandboxed service worker should fail because of opaque origin (mode: same-origin)');
+
+promise_test(t => {
+  return promise_rejects_js(
+      t,
+      frame.contentWindow.TypeError,
+      frame.contentWindow.fetch(
+        '/fetch?url=' + encodeURIComponent(location.origin + '/fetch/api/resources/top.txt?hash=' + Math.random()),
+        {mode: 'cors'}));
+}, 'Fetch by sandboxed service worker should fail because of opaque origin (mode: cors)');
+
+promise_test(t => {
+  return promise_rejects_js(
+      t,
+      frame.contentWindow.TypeError,
+      frame.contentWindow.fetch(
+        '/fetch?url=' + encodeURIComponent(location.origin + '/fetch/api/resources/cors-top.txt?hash=' + Math.random()),
+        {mode: 'same-origin'}));
+}, 'Fetch by sandboxed service worker should fail because of opaque origin (mode: same-origin, with ACAOrigin)');
+
+promise_test(async (t) => {
+  const r = await frame.contentWindow.fetch(
+    '/fetch?url=' + encodeURIComponent(location.origin + '/fetch/api/resources/cors-top.txt?hash=' + Math.random()),
+    {mode: 'cors'});
+  const text = await r.text();
+  assert_equals(text, 'top');
+}, 'Fetch by sandboxed service worker should succeed (mode: cors, with ACAOrigin)');
+
+// Global cleanup: the final promise_test.
+promise_test(async (t) => {
+  if (frame)
+    frame.remove();
+  await service_worker_unregister(t, scope);
+}, 'global cleanup');
+</script>
diff --git a/content-security-policy/sandbox/shared-worker-sandbox.html b/content-security-policy/sandbox/shared-worker-sandbox.html
new file mode 100644
index 00000000000000..5432300ec63215
--- /dev/null
+++ b/content-security-policy/sandbox/shared-worker-sandbox.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+async_test(t => {
+  const worker = new SharedWorker("support/post-origin-on-load-worker.js?" + Math.random());
+  worker.onerror = t.unreached_func("Worker construction failed");
+  worker.port.onmessage = t.step_func_done(e => {
+    assert_equals(e.data, "null", "Origin should be opaque");
+  });
+}, "SharedWorker is sandboxed");
+</script>
+</body>
diff --git a/content-security-policy/sandbox/support/empty.html b/content-security-policy/sandbox/support/empty.html
new file mode 100644
index 00000000000000..e69de29bb2d1d6
diff --git a/content-security-policy/sandbox/support/post-origin-on-load-worker.js b/content-security-policy/sandbox/support/post-origin-on-load-worker.js
new file mode 100644
index 00000000000000..9771cfc2b90f68
--- /dev/null
+++ b/content-security-policy/sandbox/support/post-origin-on-load-worker.js
@@ -0,0 +1,10 @@
+if ('DedicatedWorkerGlobalScope' in self &&
+    self instanceof DedicatedWorkerGlobalScope) {
+  postMessage(self.origin);
+} else if (
+    'SharedWorkerGlobalScope' in self &&
+    self instanceof SharedWorkerGlobalScope) {
+  self.onconnect = e => {
+    e.ports[0].postMessage(self.origin);
+  };
+}
diff --git a/content-security-policy/sandbox/support/post-origin-on-load-worker.js.headers b/content-security-policy/sandbox/support/post-origin-on-load-worker.js.headers
new file mode 100644
index 00000000000000..1efcf8c226fac0
--- /dev/null
+++ b/content-security-policy/sandbox/support/post-origin-on-load-worker.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: sandbox allow-scripts
diff --git a/content-security-policy/sandbox/support/sandboxed-service-worker.js b/content-security-policy/sandbox/support/sandboxed-service-worker.js
new file mode 100644
index 00000000000000..33531ca413866b
--- /dev/null
+++ b/content-security-policy/sandbox/support/sandboxed-service-worker.js
@@ -0,0 +1,14 @@
+self.addEventListener('fetch', function(event) {
+    var url = event.request.url;
+    if (url.indexOf('get-origin') != -1) {
+      event.respondWith(new Promise(function(resolve) {
+        resolve(new Response(JSON.stringify({
+            origin: self.origin
+          })));
+        }));
+    }
+    else if (url.indexOf('fetch') != -1) {
+      const url = new URL(event.request.url);
+      event.respondWith(fetch(url.searchParams.get('url'), {mode: event.request.mode}));
+    }
+  });
diff --git a/content-security-policy/sandbox/support/sandboxed-service-worker.js.headers b/content-security-policy/sandbox/support/sandboxed-service-worker.js.headers
new file mode 100644
index 00000000000000..1efcf8c226fac0
--- /dev/null
+++ b/content-security-policy/sandbox/support/sandboxed-service-worker.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: sandbox allow-scripts