The configured Content Security Policy (CSP) includes the directive img-src 'self' data: blob:. This directive instructs the browser to only load images from the application's own origin ('self'), as data: URIs, or as blob: URIs. The attempt to load an image from an external domain, https://malicious.com, violates this policy. A compliant browser enforces the CSP by blocking the request to the unauthorized domain. As a result, the image will fail to load, and the browser will typically log a security violation error in its developer console.

B: The browser blocks the network request entirely; it does not load the resource and then decide against displaying it.

C: A compliant browser's function is to enforce the CSP, not ignore it. Ignoring the policy would render it useless.

D: The image will not load because its source, https://malicious.com, is not on the whitelist defined by the img-src directive.

1. Pega Platform™ Documentation

"Content security policies": This document outlines that a CSP adds a layer of protection to mitigate attacks like cross-site scripting by specifying the domains that the browser should consider valid sources for resources. The browser is responsible for enforcing this policy.

2. Pega Platform™ Documentation

"Content security policy management": This section details the configuration of CSP directives

including img-src. It explains that these directives create a whitelist of allowed sources

and any resource from a non-whitelisted source will be blocked by the browser.

3. Pega Platform™ Documentation

"Security Checklist": The Pega security checklist emphasizes implementing a strict Content Security Policy as a critical measure to secure the application

confirming that policies are meant to be enforced to prevent loading of untrusted assets.