diff --git a/Libraries/LibWeb/ContentSecurityPolicy/Directives/FrameAncestorsDirective.cpp b/Libraries/LibWeb/ContentSecurityPolicy/Directives/FrameAncestorsDirective.cpp
index 79288e13dbb..fbd4404a105 100644
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/FrameAncestorsDirective.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/FrameAncestorsDirective.cpp
@@ -57,8 +57,10 @@ Directive::Result FrameAncestorsDirective::navigation_response_check(GC::Ref<Fet
         // 2. Let origin be the result of executing the URL parser on the ASCII serialization of document’s origin.
         auto origin = DOMURL::parse(document->origin().serialize());
 
-        // FIXME: What do we do if origin is invalid here?
-        VERIFY(origin.has_value());
+        // AD-HOC: If the origin is opaque, serialization produces "null" which fails URL parsing.
+        //         All major engines block in this case, as an opaque origin can never match any source expression.
+        if (!origin.has_value())
+            return Result::Blocked;
 
         // 3. If § 6.7.2.7 Does url match source list in origin with redirect count? returns Does Not Match when
         //    executed upon origin, this directive’s value, policy’s self-origin, and 0, return "Blocked".
diff --git a/Tests/LibWeb/Text/expected/html/csp-frame-ancestors-opaque-origin.txt b/Tests/LibWeb/Text/expected/html/csp-frame-ancestors-opaque-origin.txt
new file mode 100644
index 00000000000..7ef22e9a431
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/html/csp-frame-ancestors-opaque-origin.txt
@@ -0,0 +1 @@
+PASS
diff --git a/Tests/LibWeb/Text/input/html/csp-frame-ancestors-opaque-origin.html b/Tests/LibWeb/Text/input/html/csp-frame-ancestors-opaque-origin.html
new file mode 100644
index 00000000000..d9053b8fa84
--- /dev/null
+++ b/Tests/LibWeb/Text/input/html/csp-frame-ancestors-opaque-origin.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<script src="../include.js"></script>
+<script>
+    asyncTest(async (done) => {
+        const server = httpTestServer();
+
+        const innerURL = await server.createEcho("GET", "/csp-frame-ancestors-inner", {
+            status: 200,
+            headers: {
+                "Content-Type": "text/html",
+                "Content-Security-Policy": "frame-ancestors 'self'",
+            },
+            body: "<html><body>inner</body></html>",
+        });
+
+        const middleURL = await server.createEcho("GET", "/csp-frame-ancestors-middle", {
+            status: 200,
+            headers: {
+                "Content-Type": "text/html",
+            },
+            body: `<html><body><iframe src="${innerURL}"></iframe></body></html>`,
+        });
+
+        const iframe = document.createElement("iframe");
+        iframe.sandbox = "allow-scripts";
+        iframe.src = middleURL;
+        iframe.onload = () => {
+            println("PASS");
+            done();
+        };
+        document.body.appendChild(iframe);
+    });
+</script>