I'd like to work on this.

That's great news! I've assigned the bug to you.

One small thing I noticed is that one of the WPT from Mozilla started to pass before this CL landed:
https://chromium-review.googlesource.com/c/chromium/src/+/881762/5/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/worker-interception.https.html
Is there something wrong with this test, or am I missing something here?

Chrome fails to load the worker script for that test, but for an unrelated reason.  It was failing the test before:

-FAIL Verify worker script intercepted by cors response succeeds promise_test: Unhandled rejection with value: undefined
+PASS Verify worker script intercepted by cors response fails

I think its probably failing to intercept the worker script for the same reason its failing the first test in the file as well.

The spec currently requires that worker script loads be treated as non-subresource loads, so they should be intercepted even if the parent document is not controlled.  It seems chrome is currently treating them like subresource loads and requires the parent document to be controlled.

If you want, you could change this test to create a controlled frame and load the worker from there.  It would isolate the behavior that is trying to be tested from the "are worker scripts subresources" question.

Or we could make the test not get a 404 for the worker script if the service worker does not intercept.  The "network" response could post a message indicating the wrong script was loaded or something.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2e1f3c3724269c16527397f488530cd68003bf16

commit 2e1f3c3724269c16527397f488530cd68003bf16
Author: Yannic Bonenberger <contact@yannic-bonenberger.com>
Date: Wed Jan 24 17:47:48 2018

Do not allow CORS responses to "same-origin" requests

This matches the change in the Fetch spec:
https://github.com/whatwg/fetch/issues/629

This CL also removes the UseCounter for cross-origin CORS responses to
same-origin requests because it will be unreachable after hereafter.

Chrome status: https://www.chromestatus.com/feature/5694278818856960

Bug:  800234 ,  784018 
Change-Id: Id843a302fa5d0614de1c3ef1c0a39bcf92f7e3ef
Reviewed-on: https://chromium-review.googlesource.com/866849
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Tsuyoshi Horo <horo@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Yannic Bonenberger <contact@yannic-bonenberger.com>
Cr-Commit-Position: refs/heads/master@{#531594}
[delete] https://crrev.com/f6e20f64fb9d6bc4045aea5b24de4ab0b8bfb455/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/fetch-response-taint.https-expected.txt
[delete] https://crrev.com/f6e20f64fb9d6bc4045aea5b24de4ab0b8bfb455/third_party/WebKit/LayoutTests/http/tests/serviceworker/chromium.respond-to-same-origin-request-with-cross-origin-response.html
[delete] https://crrev.com/f6e20f64fb9d6bc4045aea5b24de4ab0b8bfb455/third_party/WebKit/LayoutTests/http/tests/serviceworker/chromium.respond-to-same-origin-request-with-redirected-cross-origin-response.html
[modify] https://crrev.com/2e1f3c3724269c16527397f488530cd68003bf16/third_party/WebKit/Source/modules/payments/PaymentHandlerUtils.cpp
[modify] https://crrev.com/2e1f3c3724269c16527397f488530cd68003bf16/third_party/WebKit/Source/modules/serviceworkers/FetchRespondWithObserver.cpp
[modify] https://crrev.com/2e1f3c3724269c16527397f488530cd68003bf16/third_party/WebKit/common/service_worker/service_worker_error_type.mojom
[modify] https://crrev.com/2e1f3c3724269c16527397f488530cd68003bf16/third_party/WebKit/public/platform/web_feature.mojom
[modify] https://crrev.com/2e1f3c3724269c16527397f488530cd68003bf16/tools/metrics/histograms/enums.xml

Landed in 66.0.3331.0