about:blank, about:srcdoc, a data: URL, a blob: URL, etc).
Every iframe tries to fetch the same protected resource, which is only allowed by a CSP rule that lists
the target host without a scheme. Green ✓
means the fetch succeeded (the schemeless rule matched); red ✗
means it was blocked.
loading…