Index: LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html |
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html b/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html |
new file mode 100644 |
index 0000000000000000000000000000000000000000..2205b5a1900a8678d5e54fb4c904b3a38e839d0f |
--- /dev/null |
+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html |
@@ -0,0 +1,31 @@ |
+<!DOCTYPE html> |
+<html> |
+<head> |
+ <script src="/resources/testharness.js"></script> |
+ <script src="/resources/testharnessreport.js"></script> |
+</head> |
+<body> |
+ <script> |
+ async_test(function (t) { |
+ var i = document.createElement('iframe'); |
+ i.src = "../../resources/frame-ancestors-and-x-frame-options.pl?policy='self'&xfo=DENY"; |
+ i.onload = t.step_func_done(function () { |
+ assert_equals(i.contentDocument.origin, document.origin, "The same-origin page loaded."); |
+ }); |
+ document.body.appendChild(i); |
+ }, "A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would block the page."); |
+ |
+ async_test(function (t) { |
+ var i = document.createElement('iframe'); |
+ i.src = "../../resources/frame-ancestors-and-x-frame-options.pl?policy=other-origin.com&xfo=SAMEORIGIN"; |
+ i.onload = t.step_func_done(function () { |
+ assert_throws( |
+ "SecurityError", |
+ function () { i.contentDocument.origin }, |
+ "The same-origin page was blocked and sandboxed."); |
+ }); |
+ document.body.appendChild(i); |
+ }, "A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would allow the page."); |
+ </script> |
+</body> |
+</html> |