When someone pastes into a text box of a CMS
<a href="https://attacker-domain.com/clickjacking_test_hehp.html" >
(eg Click Jacking Test ) and it gets rendered in a web page so that a users can click on that link that's a problem.
default-src self; is fine if it was not for all the different CDN content. The navigate-to self; only works on some browsers if at all. All the other examples refer to iFrames/Frame examples. Ideally the CMS code should prevent this if it were a new system, no so with a legacy system. The only route I can see is default-src self + all the other urls;
How do you configure a Azure FrontDoor/WAF CSP policy to prevent hyper links to other sites?