The issue is demonstrated here: http://output.jsbin.com/likekal/quiet The structure of the page is: ``` https://origin1 <html> <iframe srcdoc="..."> #document <iframe src="https://origin2"></iframe> </iframe> </html> ``` In other words, origin1 embeds origin2 iframe via intermediary srcdoc (friendly) iframe. Origin2 explicitly allows embedding inside origin1 via CSP directive: ``` "Content-Security-Policy": "frame-ancestors https://origin1", ``` The demo embeds an origin2 iframe via srcdoc and via about:blank+document.write. As the result, srcdoc embedding is not allowed due to CSP error. Error in console: "Refused to load https://httpbin.org/response-headers?Content-Security-Policy=frame-ancestors%20http://output.jsbin.com because it does not appear in the frame-ancestors directive of the Content Security Policy." However, weirdly enough, the embedding via about:blank+document.write works fine. And, interestingly, location.ancestorOrigins in the x-origin iframe returns correct `[origin1, origin1]`. I believe srcdoc/x-origin should work per spec: https://w3c.github.io/webappsec-csp/#frame-ancestors-navigation-response. The srcdoc document should inherit its creator's origin, and that origin to do the comparison.