Child2 Frame Page

This page tries to load assets from itself.

Child1 in an iFrame

This should fail as child1 has Header set X-Frame-Options DENY.

Child2 in an iFrame

This should work as child2 has Header set X-Frame-Options SAMEORIGIN.

Child3 in an iFrame

This should work as child3 has Header add Content-Security-Policy "frame-ancestors 'self' http://child2.marcpatterson.com;".

An image from child1

This should work as there's nothing on child1 to prevent images being loaded by other domains.

An image from child2

This should work as child2 is a valid referer:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://child2.marcpatterson.com [NC]
RewriteRule \.(gif|jpg|png)$ http://marcpatterson.com/img/fake.png [R,L]