IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.

Summary

Harness status: OK

Found 1 tests

Details

ResultTest NameMessage
PassExpecting logs: ["PASS IFrame #1 generated a load event.","violated-directive=frame-src"]
Asserts run
Pass
assert_equals("PASS IFrame #1 generated a load event.", "PASS IFrame #1 generated a load event.")
    at Test.<anonymous> ( /content-security-policy/support/logTest.sub.js?logs=[%22PASS%20IFrame%20%231%20generated%20a%20load%20event.%22,%22violated-directive=frame-src%22]:29:21)
Pass
assert_equals("violated-directive=frame-src", "violated-directive=frame-src")
    at Test.<anonymous> ( /content-security-policy/support/logTest.sub.js?logs=[%22PASS%20IFrame%20%231%20generated%20a%20load%20event.%22,%22violated-directive=frame-src%22]:29:21)