diff --git a/fetch.bs b/fetch.bs
index 81611d005..16824d762 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -2406,6 +2406,12 @@ with a CORS flag and recursive flag, run these steps:
referrer to "no-referrer
" or
have it expose less sensitive information.
+
If request's current URL includes credentials,
+ and request's reserved client is either null
+ or an environment whose target browsing context is a
+ nested browsing context, set response to a network error.
+
Set request's current url's
scheme to "https
" if