IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. | |
FAIL Expecting logs: ["PASS IFrame #1 generated a load event.","violated-directive=frame-src"] assert_unreached: Logging timeout, expected logs violated-directive=frame-src not sent. Reached unreachable code | |