Blob Schema Blocked for iframes
The frame-src directive of
the Content Security Policy prevents access to a blob URL from an iframe. This change
was introduced in the Spring ’20 release, but wasn’t documented until
now.
Where: This change applies to Lightning Experience and all versions of the Salesforce app.
Why: This restriction prevents an attacker from injecting arbitrary content into an iframe in a clickjacking attempt.
How: Use a regular link to a blob URL and open the content in a new tab or window instead of using an iframe.