X-Frame-Options header should be ignored when frame-ancestors CSP directive is present:
In order to allow backwards-compatible deployment, the frame-ancestors directive _obsoletes_ the X-Frame-Options header. If a resource is delivered with an policy that includes a directive named frame-ancestors and whose disposition is "enforce", then the X-Frame-Options header MUST be ignored.
Gecko and Blink follow the specification, WebKit does not. As a result, page  is broken with WebbKit-only on Schwab.com. The page height is wrong and you cannot see all the ETFs as a result.
The console shows the following error:
[Error] Refused to display 'https://www.schwab.com/public/asset?cmsid=P-4229490&h=4589' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
However, the following CSP header is also sent by the server:
Content-Security-Policy: frame-ancestors 'self' http://*.schwab.com https://*.schwab.com https://content.schwab.com http://content.schwab.com https://client.schwab.com https://lms.schwab.com https://www.schwabcdn.com https://*.schwabinstitutional.com https://*.dev-schwab.acsitefactory.com https://*.test-schwab.acsitefactory.com https://*.train-schwab.acsitefactory.com https://*.schwab.acsitefactory.com https://*.schwab.co.uk https://*.schwab.com.hk https://*.schwab.com.sg https://*.schwab.com.au https://*.schwabcharitable.org https://*.schwabmoneywise.com https://*.schwabsavingsfundamentals.com https://*.schwabbankfunds.com https://*.schwabadvisorcenter.com https://*.schwabfunds.com https://*.schwabpt.com https://*.windhaveninvestments.com https://*.schwab.tech http://www.schwabintelligenttechnologies.com https://www.schwabintelligenttechnologies.com https://*.wallst.com http://*.wallst.com;
Created attachment 368110 [details]
Created attachment 368111 [details]
Comment on attachment 368111 [details]
Clearing flags on attachment: 368111
Committed r244589: <https://trac.webkit.org/changeset/244589>
All reviewed patches have been landed. Closing bug.