diff --git a/fetch.bs b/fetch.bs
index 81611d005..16824d762 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -2406,6 +2406,12 @@ with a <i>CORS flag</i> and <i>recursive flag</i>, run these steps:
   <a for=request>referrer</a> to "<code>no-referrer</code>" or
   have it expose less sensitive information.
 
+ <li>
+  <p>If <var>request</var>'s <a for=request>current URL</a> <a for=URL>includes credentials</a>,
+  and <var>request</var>'s <a for=request>reserved client</a> is either <code>null</code>
+  or an <a>environment</a> whose <a for=environment>target browsing context</a> is a
+  <a>nested browsing context</a>, set <var>response</var> to a <a>network error</a>.
+
  <li>
   <p>Set <var>request</var>'s <a for=request>current url</a>'s
   <a for=url>scheme</a> to "<code>https</code>" if