User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Steps to reproduce: The issue is demonstrated here: http://output.jsbin.com/likekal/quiet The structure of the page is: ``` https://origin1 <html> <iframe srcdoc="..."> #document <iframe src="https://origin2"></iframe> </iframe> </html> ``` In other words, origin1 embeds origin2 iframe via intermediary srcdoc (friendly) iframe. Origin2 explicitly allows embedding inside origin1 via CSP directive: ``` "Content-Security-Policy": "frame-ancestors https://origin1", ``` The demo embeds an origin2 iframe via srcdoc and via about:blank+document.write. Actual results: s the result, srcdoc embedding is not allowed due to CSP error. Error in displayed: "Blocked by Content Security Policy" Expected results: However, weirdly enough, the embedding via about:blank+document.write works fine. Even more interestingly, `X-Frame-Options: allow origin1` works fine. I believe srcdoc/x-origin should work per spec: https://w3c.github.io/webappsec-csp/#frame-ancestors-navigation-response. The srcdoc document should inherit its creator's origin, and that origin to do the comparison.

Yes, the srcdoc should be same-origin just as about:blank is. Perhaps we have some special checks for about:blank that we're not doing for about:srcdoc -- though ideally we're NOT using the document URL but rather its principal. If we're using the URL we've probably got other bugs as well :-(