This is the target iframe.
js enabled? Scripts are enabled with iframe attribute sandbox="allow-scripts" and CSP rule script-src 'unsafe-inline';
local fetch working? Connections are restricted by CSP default-src 'none';
This text should be green. This is enabled by CSP rule style-src 'unsafe-inline';
The following sub-iframe, hosted on https://static.iconet-foundation.org/docs/iframe-example/embed-me.html is embeddable by this iframe thanks to the embedded enforcement spec , since it is served with an Allow-CSP-From: * header.
This way, you can show content from within an iframe that is whitelisted through the iframe's csp attribute even though the parent's CSP would disallow so in its own context. This is very helpful because it allows fallback-iframes to load content from sources that the embedding document has not whitelisted in its CSP.
It does not work with the csp attribute missing on the iframe.