This iframe should load the resource via the src-attribute from a secure server which requires a client-cert. Doing this is supposed to work, but further below in the test we try to load the resource from the same url using a XHR, which should not work. TODO : What if we change 'src' from JS? Would/should it load?