Codebase Browser
chromium
Go to App

chromium/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/script-src-in-iframe.html 

<!DOCTYPE html>
<html>
<head>
<script>
if (window.testRunner) {
  testRunner.dumpAsText();
  testRunner.dumpChildFrames();
}
</script>
</head>
<body>
  <p>
    Loads an iframe (a) which loads an iframe (b) which in turns tries to load
    an external script. The iframe (a) has a content security policy disabling
    external scripts. As this policy does not apply to (b), the script should be
    executed.
  </p>
  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-iframe.pl?q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script-src.html&csp=default-src%20*%3B%20script-src%20'none'">
  </iframe>
</body>
</html>