<!DOCTYPE html> <html> <head> <title>Frame-src: 'self' matches even if the parent's origin is unique.</title> <script src="/resources/testharness.js"></script> <script src="/resources/testharnessreport.js"></script> </head> <body> <script> var t = async_test('SubframeLoaded'); window.addEventListener('securitypolicyviolation', t.step_func(function(e) { if (e.violatedDirective === "frame-src") { assert_unreached('unexpected securitypolicyviolation'); t.done(); } })); window.addEventListener("message", t.step_func(function(event) { assert_equals(event.data, "PASS", 'unexpected message: ' + event.data); t.done(); })); f = document.createElement("iframe"); f.src = "/content-security-policy/support/postmessage-pass.html"; document.body.appendChild(f); </script> </body> </html>