A CACHEABLE same-domain victim frame, which is configured to DENY ALL.
A same-domain victim frame, which is configured to DENY ALL using a META tag (Use of the directive in META is deliberately unsupported).This is the 1st of
6 that should be permitted on this page.
A same-domain victim OBJECT tag, which is configured to DENY ALL.
A same-domain frame which is configured to ALLOW same-origin hosts. This is the 2nd of
6 that should be permitted on this page.
A same-domain SECURITY=RESTRICTED frame which is configured to ALLOW same-origin hosts. This is the
3rd of 6 that should be permitted on this page.
A same-domain victim OBJECT tag, which is configured to ALLOW same-origin hosts. This is the
4th of
6 that should be permitted on this page.
A cross-origin victim IFRAME, which is configured to ALLOW-FROM this origin. This is the
5th of 6 that should be permitted on this page. Note: Legacy IE doesn't support CSP
A same-origin IFRAME, which is configured to XFO-Deny but with a CSP: frame-ancestors 'self' rule. This is the
6th of 6 that should be permitted on this page.
A same-origin victim IFRAME, which is configured to ALLOW-FROM a different origin only (Blocked because the specified Allow-From origin does not match outermost page). NOTE: Chrome doesn't support ALLOW-FROM.
A parent-domain frame which is configured to ALLOW same-origin hosts. (Blocked because document.domain deliberately ignored.)
A peer-domain frame which is configured to ALLOW same-origin hosts. (Blocked because entire FQDN is compared)
An x-domain victim frame:
An x-domain victim frame, with SECURITY=RESTRICTED to prevent script from running: