Created attachment 451967 [details] Simple repo with two html files == Steps to reproduce the problem == 1. On a page with a restrictive content security policy 2. Embed a sandboxed, same origin iframe 3. On the parent page, use `setInterval` to check the ready state of the iframe. Once it is listed as `complete`, try using `document.write` to write a new html document into it. This new html document should have its own CSP and try to load content that would be allowed by that CSP but blocked by the parent page's I've attached two simple html files that show this issue in action. To reproduce, start a simple local server in the folder and open `index.html` == What is the expected behavior? == The new content of the inner iframe should load (it should load a picture of a cat with a red background) == What went wrong? == Occasionally resources in the inner iframe will be blocked due to a CSP violation. This happens maybe 25% of the time for me. I can reproduce it even more reliably by reducing the `setInterval` timeout The fact that the code sometimes works suggests to me that there is some sort of race. == Does this work in other browsers? == This is also broken in Chrome (https://bugs.chromium.org/p/chromium/issues/detail?id=1297377). I can't test in Firefox because the entire scenario is blocked by https://bugzilla.mozilla.org/show_bug.cgi?id=1754872 == Other notes== This example seems contrived, but is used in the VS Code codebase to work around https://bugs.webkit.org/show_bug.cgi?id=33604