JavaScript

How to setup CSP for iframe?

Cannot configure cross-site\content-security-policy to access iframe content from some page cross-site js code. The page itself has a second-level domain (site.ru) or localhost:1111 for the demo. The iframe is loaded from a third-level subdomain (sub.site.ru or localhost:222). When I try to get elements from the iframe from the page, I get an error in the console:
$frame[0].contentWindow.document;

SecurityError: Permission denied to access property "document" on cross-origin object

For the iframe I add the attribute:
sandbox="allow-same-origin allow-scripts"
I also add js code to the page with the iframe and to the iframe itself:
document.domain = 'site.ru';
or
document.domain = 'localhost'; // для демо
I tried to set different headers for the main page through nginx:

X-Frame_options: allow-from https://site.ru
X-Frame_options: allow-from https://localhost:1111

Content-Security-Policy: "default-src 'self' https://site.ru https://*site.ru https://site.ru script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline'; object-src *"
Content-Security-Policy: "default-src 'self' https://localhost https://*localhost https://localhost*; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline'; object-src *"

Origin: site.ru
Origin: localhost