From what you've written, I believe you're embedding your Visualforce page in a record page layout in the Classic interface. Visualforce in a page layout is always wrapped in that iframe with the size and other attributes you set in the page layout editor. That iframe's presence is not the issue.
The CSP Trusted Sites documentation specifies that these settings only apply to the Lightning UI, and says:
NOTE To enable corresponding access for Visualforce or Apex, create a Remote Site.
So you need to add https://my-site.com as a Remote Site, under Remote Site Settings in Setup.
If you are trying to use this Visualforce page inside of Lightning, the recommendation is basically, don't. From Understanding the Salesforce App Container in the Visualforce Developer Guide:
Avoid using <apex:iframe> on a Visualforce page within the Salesforce app container. Only use this tag if you really understand iframes and how they affect the DOM and JavaScript.
added based on comments
You should not use direct # (Id selector) and . (class selector) selectors in jquery (or any other library) as that will cross the component boundary. You should instead use $(component.find('initid').getElement()) which will respect component boundary.
Once the library is loaded $ is available throughout. Also there is no need of onready as you are already invoking the function on afterScriptsLoaded.
Below is the sample script:
COMPONENT:
<ltng:require scripts="{!$Resource.myscripts +'/jquery-3.4.1.min.js'}"
afterScriptsLoaded="{!c.scriptsLoaded}" />
<div>
POC test jquery
</div>
<div aura:id="initid" class="initid">
initid
</div>
<lightning:button label="Add Text" onclick="{!c.addText}" />
<div aura:id="dynamictext" class="dynamictext">
dynamictext
</div>
CONTROLLER js:
scriptsLoaded : function(component, event, helper){
console.log('handle scriptsLoaded load => ', $, jQuery);
$(component.find('initid').getElement()).text('Added text during init');
},
addText : function(component, event, helper){
$(component.find('dynamictext').getElement()).text('dynamic text from button');
}
Old answer
I just tested in my org with below code:
COMPONENT file:
<ltng:require scripts="{!$Resource.myscripts +'/jquery-3.4.1.min.js'}"
afterScriptsLoaded="{!c.scriptsLoaded}" />
<div>
POC test jquery
</div>
CONTROLLER js:
scriptsLoaded : function(component, event, helper){
console.log('handle scriptsLoaded load => ', $, jQuery);
}
And got below log:
handle scriptsLoaded load => ƒ (e,t){return new k.fn.init(e,t)} ƒ (e,t){return new k.fn.init(e,t)}
This means it is working in community - even when I login as community user.
Best Answer
Check the X-Frame-Options header of the framed content to make sure that it is allowing you to embed it in an
<iframe>first. If the content has the header set toX-Frame-Options: DENYthen you won't be able to frame the content.If you don't see that header value for the framed content, make sure you also check the "Allow site for frame-src" option in your CSP Trusted Site Definition. Additionally, make sure you also check the community-specific CSP in the Experience Builder as well.