Codebase Browser
chromium
Go to App

chromium/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/frame-src-blocked.html 

<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<meta http-equiv="Content-Security-Policy" content="frame-src 'self'">
<script>
    async_test(t => {
        var watcher = new EventWatcher(t, document, ['securitypolicyviolation']);
        watcher
            .wait_for('securitypolicyviolation')
            .then(t.step_func(e => {
                assert_equals(e.blockedURI, "http://localhost:8000", "The reported URL should be stripped.");
                assert_equals(e.lineNumber, 21, "IFrame injected from script on this page.");
                t.done();
            }));

        window.onmessage = t.unreached_func('No message should be sent from the frame.');
        window.onload = _ => {
            var url = "http://localhost:8000/security/resources/post-done.html";
            var i = document.createElement('iframe');
            i.src = url;
            document.body.appendChild(i);
        };
    }, "The unredirected frame is blocked.");
</script>