IFrame CSP Testing

Each box below embeds an iframe at a different location (a normal https page, about:blank, about:srcdoc, a data: URL, a blob: URL, etc). Every iframe tries to fetch the same protected resource, which is only allowed by a CSP rule that lists the target host without a scheme. Green ✓ means the fetch succeeded (the schemeless rule matched); red ✗ means it was blocked.
CSP header sent with this page:
loading…