CSP is super fun. "In Chrome and Safari, omitting frame-ancestors allows framing by a file:// or data: URI, but specifying frame-ancestors "*" does not." github.com/w3c/webappsec-csp…