Experimental Feature: Allow-CSP-From header

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/respond-with-allow-csp-from-header.php

+<?php
+    $allow_csp_from = isset($_GET['allow_csp_from']) ? $_GET['allow_csp_from'] : null;
+    if ($allow_csp_from)
+        header('Allow-CSP-From: ' . $allow_csp_from);
+    $csp = isset($_GET['csp']) ? $_GET['csp'] : null;
+    if ($csp)
+        header('Content-Security-Policy: ' . $csp);
+?>
+
+<!DOCTYPE html>
+<html>
+<head>
+        <title>This page enforces embedder's policies</title>
+</head>
+<body>
+        Hello World.
+        <iframe src="/cross-site/b.com/title2.html"></iframe>
+        <img src="green250x50.png" />
+        <script> alert("Hello from iframe");</script>
+        <script> window.top.postMessage('loaded', '*'); </script>
+</body>
+</html>