Mozilla: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI
The Mozilla Foundation Security Advisory describes this flaw as: An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link...