UserAgent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0

Steps to reproduce the problem:
1. node server.js localhost 9999
2. navigate to http://localhost:9999
3. Open the browser console

What is the expected behavior?
The absence of allow-same-origin should prevent content (scripts and iframes) from the page origin to load. 

What went wrong?
In Chromium 60.0.3112.113 (Developer Build) Fedora Project (64-bit)
 both iframe and script load.
In Google Chrome 66.0.3359.33 (Official Build) beta (64-bit), only the script load. The iframe does not.

Did this work before? N/A 

Does this work in other browsers? N/A

Chrome version: 60.0.3112.113  Channel: stable
OS Version: 4.13.16-100.fc25.x86_64
Flash Version: Shockwave Flash 29.0 r0

When the sandbox is set to an iframe, it behaves correctly.
The CSP sandbox directive semantics is exactly the same as the sandbox HTML attribute for iframes.
 

Deleted: sandbox.zip 1.9 KB

sandbox.zip 1.9 KB Download