| <!DOCTYPE html> |
| <html> |
| <head> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| </head> |
| <body> |
| <script> |
| async_test(function (t) { |
| var i = document.createElement('iframe'); |
| i.src = "../../resources/frame-ancestors-and-x-frame-options.pl?policy='self'&xfo=DENY"; |
| i.onload = t.step_func_done(function () { |
| assert_equals(i.contentDocument.origin, document.origin, "The same-origin page loaded."); |
| }); |
| document.body.appendChild(i); |
| }, "A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would block the page."); |
| |
| async_test(function (t) { |
| var i = document.createElement('iframe'); |
| i.src = "../../resources/frame-ancestors-and-x-frame-options.pl?policy=other-origin.com&xfo=SAMEORIGIN"; |
| i.onload = t.step_func_done(function () { |
| assert_throws( |
| "SecurityError", |
| function () { i.contentDocument.origin }, |
| "The same-origin page was blocked and sandboxed."); |
| }); |
| document.body.appendChild(i); |
| }, "A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would allow the page."); |
| </script> |
| </body> |
| </html> |