The iframe below is from the same origin as the main document, BUT the sandboxing attribute says it must be in its own origin. Then, CSP should block loading the CSS from the main document's origin
When the attribute is set, the content is treated as being from a unique origin, forms, scripts, and various potentially annoying APIs are disabled, links are prevented from targeting other browsing contexts, and plugins are secured.
Opera/Chrome (Webkit then?) properly do this sandboxing, and yells an error in the console telling you that the CSS wasn't loaded because its origin doesn't match the CSP rule, but Firefox doesn't sandbox the iframe, and loads the CSS.
Refused to load the stylesheet 'https://xenos.reinom.com/mdn/iframe-sanbox-attribute/subframe.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'".