diff --git a/testing/web-platform/tests/fetch/api/cors/resources/not-cors-safelisted.json b/testing/web-platform/tests/fetch/api/cors/resources/not-cors-safelisted.json
index 20a162f92c13..945dc0f93ba4 100644
--- a/testing/web-platform/tests/fetch/api/cors/resources/not-cors-safelisted.json
+++ b/testing/web-platform/tests/fetch/api/cors/resources/not-cors-safelisted.json
@@ -3,9 +3,11 @@
   ["accept", "012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678"],
   ["accept-language", "\u0001"],
   ["accept-language", "@"],
+  ["authorization", "basics"],
   ["content-language", "\u0001"],
   ["content-language", "@"],
   ["content-type", "text/html"],
   ["content-type", "text/plain; long=0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901"],
+  ["range", "bytes 0-"],
   ["test", "hi"]
 ]
diff --git a/testing/web-platform/tests/fetch/api/credentials/authentication-basic.any.js b/testing/web-platform/tests/fetch/api/credentials/authentication-basic.any.js
index bea436621fbd..41cf6cf295cd 100644
--- a/testing/web-platform/tests/fetch/api/credentials/authentication-basic.any.js
+++ b/testing/web-platform/tests/fetch/api/credentials/authentication-basic.any.js
@@ -1,11 +1,10 @@
 
 
-
 function basicAuth(desc, user, pass, mode, status) {
   promise_test(function(test) {
     var headers = { "Authorization": "Basic " + btoa(user + ":" + pass)};
     var requestInit = {"credentials": mode, "headers": headers};
-    return fetch(RESOURCES_DIR + "authentication.py?realm=test", requestInit).then(function(resp) {
+    return fetch("../resources/authentication.py?realm=test", requestInit).then(function(resp) {
         assert_equals(resp.status, status, "HTTP status is " + status);
         assert_equals(resp.type , "basic", "Response's type is basic");
     });
@@ -15,3 +14,4 @@ function basicAuth(desc, user, pass, mode, status) {
 basicAuth("User-added Authorization header with include mode", "user", "password", "include", 200);
 basicAuth("User-added Authorization header with same-origin mode", "user", "password", "same-origin", 200);
 basicAuth("User-added Authorization header with omit mode", "user", "password", "omit", 200);
+basicAuth("User-added bogus Authorization header with omit mode", "notuser", "notpassword", "omit", 401);
diff --git a/testing/web-platform/tests/fetch/api/resources/utils.js b/testing/web-platform/tests/fetch/api/resources/utils.js
index b88b91851db8..2d39c1e8260d 100644
--- a/testing/web-platform/tests/fetch/api/resources/utils.js
+++ b/testing/web-platform/tests/fetch/api/resources/utils.js
@@ -1,12 +1,5 @@
-var inWorker = false;
 var RESOURCES_DIR = "../resources/";
 
-try {
-  inWorker = !(self instanceof Window);
-} catch (e) {
-  inWorker = true;
-}
-
 function dirname(path) {
     return path.replace(/\/[^\/]*$/, '/')
 }