third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html

<!DOCTYPE html>
<html>
<head>
    <script src="/resources/testharness.js"></script>
    <script src="/resources/testharnessreport.js"></script>
</head>
<body>
    <script>
        async_test(function (t) {
            var i = document.createElement('iframe');
            i.src = "../../resources/frame-ancestors-and-x-frame-options.pl?policy='self'&xfo=DENY";
            i.onload = t.step_func_done(function () {
                assert_equals(i.contentDocument.origin, document.origin, "The same-origin page loaded.");
            });
            document.body.appendChild(i);
        }, "A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would block the page.");

        async_test(function (t) {
            var i = document.createElement('iframe');
            i.src = "../../resources/frame-ancestors-and-x-frame-options.pl?policy=other-origin.com&xfo=SAMEORIGIN";
            i.onload = t.step_func_done(function () {
                assert_throws(
                    "SecurityError",
                    function () { i.contentDocument.origin },
                    "The same-origin page was blocked and sandboxed.");
            });
            document.body.appendChild(i);
        }, "A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would allow the page.");
    </script>
</body>
</html>