The following sub-iframe, hosted on
https://static.iconet-foundation.org/docs/iframe-example/embed-me.html
is embeddable by this iframe thanks to the
embedded enforcement spec
, since it is served with an
Allow-CSP-From: *
header.
This way, you can show content from within an iframe that is
whitelisted through the iframe's
csp
attribute
even though the parent's CSP would disallow so in its own
context. This is very helpful because it allows fallback-iframes
to load content from sources that the embedding document has not
whitelisted in its CSP.
It does not work with the
csp
attribute
missing on the iframe.