chromium/third_party/blink/web_tests/external/wpt/fenced-frame/csp.https.html

<!DOCTYPE html>
  <title>Test Content Security Policy</title>
  <script src="/resources/testharness.js"></script>
  <script src="/resources/testharnessreport.js"></script>
  <script src="resources/utils.js"></script>
  <script src="/common/utils.js"></script>

  <body>

    <script>
      promise_test(async () => {
        const csp_key = token();

        // The 'csp' property does not appear in the IDL definition for
        // fenced frames, so ensure that the 'csp' property didn't
        // leak over from the IFrame prototype.
        assert_equals(HTMLFencedFrameElement.prototype.hasOwnProperty('csp'),
                      false);

        const new_frame = document.createElement('fencedframe');
        const new_config = new FencedFrameConfig(generateURL(
            "resources/csp-inner.html",
            [csp_key]));
        new_frame.config = new_config;

        // This attribute will be ignored since the IDL for
        // fenced frames do not support the 'csp' attribute.
        new_frame.setAttribute("csp", "style-src 'none';");
        document.body.append(new_frame);

        // Get the result for the top-level fenced frame.
        const fenced_frame_result = await nextValueFromServer(csp_key);
        assert_equals(fenced_frame_result, "pass");

      }, "Fenced Frames should not honor the csp attribute from parent page");
    </script>

  </body>
</html>