We have below the CSP derivatives defined on our site,
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.youtube.com; style-src 'self' 'unsafe-inline'; frame-src *.facebook.com www.youtube.com;
According to this value, we only allow Facebook and YouTube domains as src value in our site's iframes. But then we have iframes on our site.
How are these iframes not restricted by the CSP rule?
Thanks in advance.