IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. | |
PASS Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"] | |