I think we do have to worry about page's CSP blocking the script when using a data: or blob: iframe, which would inherit the CSP.
Bug 1967731 Comment 2 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I think we do have to worry about page's CSP blocking the script when using a data: or blob: iframe, which would inherit the CSP. Edit: We can probably just special case these URLs in SubjectToCSP. I am looking.