An application has a web page where users can upload and view images.

Comprehensive and Detailed Explanation From Exact Extract:

Pega’s security features, as taught in Pega Academy’sSecurity Missionand thePega Certified Lead System Architect Study Guide, include Content Security Policies (CSP) to mitigate cross-site scripting (XSS) by restricting resource sources. The CSP directives define allowed sources for images, scripts, and other content.

Option A (Correct): The CSP directive img-src 'self' data: blob: restricts image sources to the application’s domain, data URIs, and blobs. An image from https://malicious.com is not permitted, so the browser blocks it and may display an error in the console, as documented in the Content Security Policysection of Pega Community.

Option B (Incorrect): The browser does not load blocked images; it rejects them outright based on the CSP, per theWeb Securitymodule.

Option C (Incorrect): The browser enforces the CSP and does not ignore it, as CSP is a mandatory security mechanism, per theSecurity Designguidelines.

Option D (Incorrect): The image from https://malicious.com is not an allowed source, so it will not load or display, as noted in the CSP Configurationmodule.