A more permissive child-src should not relax restrictions from a less- permissive frame-src. Directives still combine for least privilege, even when one obsoletes another.

Summary

Harness status: OK

Found 1 tests

Details

ResultTest NameMessage
PassExpecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"]
Asserts run
Pass
assert_equals("PASS IFrame #1 generated a load event.", "PASS IFrame #1 generated a load event.")
    at Test.<anonymous> ( /content-security-policy/support/logTest.sub.js?logs=[%22PASS%20IFrame%20%231%20generated%20a%20load%20event.%22,%20%22violated-directive=frame-src%22]:29:21)
Pass
assert_equals("violated-directive=frame-src", "violated-directive=frame-src")
    at Test.<anonymous> ( /content-security-policy/support/logTest.sub.js?logs=[%22PASS%20IFrame%20%231%20generated%20a%20load%20event.%22,%20%22violated-directive=frame-src%22]:29:21)