The issue is demonstrated here: http://output.jsbin.com/likekal/quiet The structure of the page is: ``` https://origin1 <html> <iframe srcdoc="..."> #document <iframe src="https://origin2"></iframe> </iframe> </html> ``` In other words, origin1 embeds origin2 iframe via intermediary srcdoc (friendly) iframe. Origin2 explicitly allows embedding inside origin1 via CSP directive: ``` "Content-Security-Policy": "frame-ancestors https://origin1", ``` The demo embeds an origin2 iframe via srcdoc and via about:blank+document.write. As the result, srcdoc embedding is not allowed due to CSP error. Error in console: "Refused to load https://httpbin.org/response-headers?Content-Security-Policy=frame-ancestors%20http://output.jsbin.com because it does not appear in the frame-ancestors directive of the Content Security Policy." However, weirdly enough, the embedding via about:blank+document.write works fine. And, interestingly, location.ancestorOrigins in the x-origin iframe returns correct `[origin1, origin1]`. I believe srcdoc/x-origin should work per spec: https://w3c.github.io/webappsec-csp/#frame-ancestors-navigation-response. The srcdoc document should inherit its creator's origin, and that origin to do the comparison.
<rdar://problem/34760668>
@Dima The srcdoc case seems to behave the same as src and document.write for release versions of WebKit (iOS, macOS, GTK) and I don't see any error message in the console. Can you please try again (and update the testcase if necessary)?
I'm seeing it in Safari 11.0.3 (13604.5.6). But it's fixed in release 56 (Safari 11.2, WebKit 13606.1.17.2.2). Not sure when exactly it got fixed and if there was a duplicate bug out here somewhere.
This bug was fixed in <https://trac.webkit.org/changeset/227238>.