Embed an iframe

Steps:

  • Inject the <iframe> code in the response body.

  • Set the content-security-policy attribute on the response file to actually set the Content-Security-Policy HTTP response headers. For example:
    response.attrStr('content-security-policy', 'https://www.youtube.com');

  • Document that your app MAY want to trust the host where you want to load your iframe from. For that, create a .ContentSecurityPolicy file, for example containing:
    https://www.youtube.com