chromium/third_party/blink/web_tests/external/wpt/fenced-frame/csp-ancestors.https.sub.html

<!DOCTYPE html>
<title>Test Content-Security-Policy frame-ancestors</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/utils.js"></script>
<script src="/common/dispatcher/dispatcher.js"></script>
<script src="resources/utils.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<body>
<script>
promise_test(async (t) => {
  // The fenced frame loads with a frame-ancestors policy set. The only way for
  // the fenced frame to know that it can't load is if it checks its parent's
  // policy across the fenced frame boundary.
  const frame = await attachFencedFrameContext({
    headers: [[
      'Content-Security-Policy',
      'frame-ancestors {{hosts[alt][www1]}}:{{ports[https][0]}}'
    ]]
  });
  let timeout_promise =
      new Promise(resolve => t.step_timeout(() => resolve('timeout'), 1000));
  let execute_promise = frame.execute(() => {});
  const result = await Promise.race([timeout_promise, execute_promise]);
  assert_equals(result, 'timeout', 'The fenced frame should not load');
}, 'Fenced frames check beyond fenced boundary for CSP frame-ancestors');

promise_test(async () => {
  // The Protected Audience fenced frame loads with a frame-ancestors policy
  // set. It should be allowed to load even though the parent's origin isn't
  // part of the policy.
  const frame = await attachFencedFrameContext({
    generator_api: 'fledge',
    headers: [[
      'Content-Security-Policy',
      'frame-ancestors {{hosts[alt][www1]}}:{{ports[https][0]}}'
    ]]
  });
  await frame.execute(() => {});
}, 'Protected Audience fenced frames do not check beyond fenced boundary for ' +
   'CSP frame-ancestors');
</script>
</body>