Experimental Feature: Allow-CSP-From header

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/respond-with-allow-csp-from-multiple-headers.php

+<?php
+    $allow_csp_from = isset($_GET['allow_csp_from']) ? $_GET['allow_csp_from'] : null;
+    if ($allow_csp_from)
+        header('Allow-CSP-From: ' . $allow_csp_from, false);
+    $allow_csp_from_2 = isset($_GET['allow_csp_from_2']) ? $_GET['allow_csp_from_2'] : null;
+    if ($allow_csp_from_2)
+        header('Allow-CSP-From: ' . $allow_csp_from_2, false);
+?>
+<!DOCTYPE html>
+<html>
+<head>
+        <title>This page enforces embedder's policies</title>
+</head>
+<body>
+        Hello World.
+        <iframe src="/cross-site/b.com/title2.html"></iframe>
+        <img src="green250x50.png" />
+        <script> alert("Hello from iframe");</script>
+        <script> window.top.postMessage('loaded', '*'); </script>
+</body>
+</html>