<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<meta http-equiv="Content-Security-Policy" content="frame-src https://localhost:8443">
async_test(t => {
var watcher = new EventWatcher(t, document, ['securitypolicyviolation']);
.then(t.step_func(e => {
assert_equals(e.blockedURI, "http://localhost:8000", "The reported URL should be stripped.");
assert_equals(e.lineNumber, 0, "The script line number shouldn't be reported.");
window.onmessage = t.unreached_func('No message should be sent from the frame.');
window.onload = _ => {
// The test verifies that Content-Security-Policy from the main frame
// restricts child frame's location even when the location is changed
// as a result of a navigation trigerred from within the child frame
// (which might reside in another renderer process due to --site-per-process).
var url = "https://localhost:8443/security/contentSecurityPolicy/resources/frame-that-navigates-itself.html";
var i = document.createElement('iframe');
i.src = url;
}, "The frame's navigation is blocked.");