<iframe> code in the response body.
content-security-policy attribute on the response file to actually set the
Content-Security-Policy HTTP response headers. For example:
Document that your app MAY want to trust the host where you want to load your iframe from. For that, create a
.ContentSecurityPolicy file, for example containing: