frame-ancestors-overrides-xfo.html (1690B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 </head> 7 <body> 8 <script> 9 async_test(function (t) { 10 var i = document.createElement('iframe'); 11 i.src = "support/frame-ancestors-and-x-frame-options.sub.html?policy='self'&xfo=DENY"; 12 i.onload = t.step_func_done(function () { 13 assert_equals(i.contentWindow.origin, window.origin, "The same-origin page loaded."); 14 }); 15 document.body.appendChild(i); 16 }, "A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would block the page."); 17 18 async_test(function (t) { 19 var i = document.createElement('iframe'); 20 i.src = "support/frame-ancestors-and-x-frame-options.sub.html?policy=other-origin.com&xfo=SAMEORIGIN"; 21 checkDone = t.step_func(function() { 22 clearTimeout(timer); 23 try { 24 if (i.contentWindow.location.href === "about:blank" || 25 (i.contentDocument && i.contentDocument.readyState !== "complete")) { 26 timer = t.step_timeout(checkDone, 10); 27 return; 28 } 29 } catch(e) {} 30 assert_equals(i.contentDocument, null); 31 t.done(); 32 }); 33 i.onload = checkDone; 34 let timer = t.step_timeout(checkDone, 10); 35 document.body.appendChild(i); 36 }, "A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would allow the page."); 37 </script> 38 </body> 39 </html>