UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Steps to reproduce the problem:
1. Start web server from <origin A url> which serves some HTML content from root path with `frame-ancestors: <origin B url>` in its directive as well as `X-Frame-Options: DENY` in header.

2. Start web server from `<origin B url>` which loads a page with an iframe with src attribute value `<origin A url>`

3. Start chrome headless for `<origin B url>` (the server which serves the iframe which loads content from a different origin) with remote debugging enabled. 

4. Observe no content is loaded (console error: Refused to display '<origin A url>' in a frame because it set 'X-Frame-Options' to 'deny'.)

What is the expected behavior?
According to CSP2 (https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options), the `frame-ancestors` directive should override the `X-Frame-Options` directive. 

This behavior is respected in chrome running in non-headless mode. 

What went wrong?
`X-Frame-Options` directive is not overridden by a valid `frame-ancestors` CSP directive. 

Did this work before? No 

Chrome version: 65.0.3325.181  Channel: n/a
OS Version: OS X 10.11.6
Flash Version: