IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
Harness status: OK
Found 3 tests
| Result | Test Name | Message |
|---|---|---|
| Pass | frame-src-cross-origin-load | Asserts runNo asserts ran |
| Pass | frame-src-cross-origin-load 1 | Asserts runNo asserts ran |
| Pass | frame-src-cross-origin-load 2 | Asserts runNo asserts ran |