diff --git a/fetch/cross-origin-resource-policy/resources/hello.py b/fetch/cross-origin-resource-policy/resources/hello.py
new file mode 100644
index 00000000000000..2b7cb6c6fc9fa9
--- /dev/null
+++ b/fetch/cross-origin-resource-policy/resources/hello.py
@@ -0,0 +1,6 @@
+def main(request, response):
+    headers = [("Cross-Origin-Resource-Policy", request.GET['corp'])]
+    if 'origin' in request.headers:
+        headers.append(('Access-Control-Allow-Origin', request.headers['origin']))
+
+    return 200, headers, "hello"
diff --git a/fetch/cross-origin-resource-policy/syntax.any.js b/fetch/cross-origin-resource-policy/syntax.any.js
new file mode 100644
index 00000000000000..cf5b06d5c4f4b6
--- /dev/null
+++ b/fetch/cross-origin-resource-policy/syntax.any.js
@@ -0,0 +1,18 @@
+// META: script=/common/get-host-info.sub.js
+
+const crossOriginURL = get_host_info().HTTP_REMOTE_ORIGIN + "/fetch/cross-origin-resource-policy/resources/hello.py?corp=";
+
+[
+  "same",
+  "same, same-origin",
+  "SAME-ORIGIN",
+  "Same-Origin",
+  "same-origin, <>",
+  "same-origin, same-origin"
+].forEach(incorrectHeaderValue => {
+  // Note: an incorrect value results in a successful load, so this test is only meaningful in
+  // implementations with support for the header.
+  promise_test(t => {
+    return fetch(crossOriginURL + encodeURIComponent(incorrectHeaderValue), { mode: "no-cors" });
+  }, "Parsing Cross-Origin-Resource-Policy: " + incorrectHeaderValue);
+});