Blob Schema Blocked for iframes

The frame-src directive of the Content Security Policy prevents access to a blob URL from an iframe. This change was introduced in the Spring ’20 release, but wasn’t documented until now.

Where: This change applies to Lightning Experience and all versions of the Salesforce app.

Why: This restriction prevents an attacker from injecting arbitrary content into an iframe in a clickjacking attempt.

How: Use a regular link to a blob URL and open the content in a new tab or window instead of using an iframe.