Same-origin embedded content
Feature policies can be used to control whether a frame is allowed to use XMLHttpRequest to request resources synchronously. This page demonstrates how the policy can be set at the top-level page to allow frames from one origin to do this, and not another.
The first frame comes from the same origin as the top-level page, and will be allowed to use syncxhr in a browser which supports feature policy.
The second and third frames are identical, but hosted on different origins. One will be allowed to use syncxhr, and the other will not.
The fourth frame is hosted on an origin which is allowed to use syncxhr, but it has its own policy header, which explicitly declines the sync-xhr feature. Finally, the last frame is hosted on the same origin as this page, but also declines the feature, so it is disabled.
In any frame, click "Sync" to try a synchronous request; "Async" for an asynchronous request. For comparison with other kinds of errors, "404" will perform a synchronous request to a non-existant resource, and "DNS Err" will attempt a synchronous request to a non-existent domain.
Feature-Policy: sync-xhr 'self' http://a.featurepolicy.rocks