Bug 197226

X-Frame-Options header should be ignored when frame-ancestors CSP directive is present: - https://www.w3.org/TR/CSP3/#frame-ancestors-and-frame-options """ In order to allow backwards-compatible deployment, the frame-ancestors directive _obsoletes_ the X-Frame-Options header. If a resource is delivered with an policy that includes a directive named frame-ancestors and whose disposition is "enforce", then the X-Frame-Options header MUST be ignored. """ Gecko and Blink follow the specification, WebKit does not. As a result, page [1] is broken with WebbKit-only on Schwab.com. The page height is wrong and you cannot see all the ETFs as a result. The console shows the following error: [Error] Refused to display 'https://www.schwab.com/public/asset?cmsid=P-4229490&h=4589' in a frame because it set 'X-Frame-Options' to 'sameorigin'. However, the following CSP header is also sent by the server: Content-Security-Policy: frame-ancestors 'self' http://*.schwab.com https://*.schwab.com https://content.schwab.com http://content.schwab.com https://client.schwab.com https://lms.schwab.com https://www.schwabcdn.com https://*.schwabinstitutional.com https://*.dev-schwab.acsitefactory.com https://*.test-schwab.acsitefactory.com https://*.train-schwab.acsitefactory.com https://*.schwab.acsitefactory.com https://*.schwab.co.uk https://*.schwab.com.hk https://*.schwab.com.sg https://*.schwab.com.au https://*.schwabcharitable.org https://*.schwabmoneywise.com https://*.schwabsavingsfundamentals.com https://*.schwabbankfunds.com https://*.schwabadvisorcenter.com https://*.schwabfunds.com https://*.schwabpt.com https://*.windhaveninvestments.com https://*.schwab.tech http://www.schwabintelligenttechnologies.com https://www.schwabintelligenttechnologies.com https://*.wallst.com http://*.wallst.com; [1] https://www.schwab.com/public/schwab/investing/investment_help/investment_research/etf_research/etfs.html?&path=/Prospect/Research/etfs/overview/oneSourceETFs.asp