I wouldn’t go so far as to make it a ‘should.’ Most EIPs don’t include them, and I find it encourages slightly vaguer specs (thankfully this isn’t the case in this EIP). Just make the tests self-contained and simple, such as a plain html file with no dependencies and inline JS.
I’m a little bit confused by these two restrictions:
- By default the Ethereum Provider APIs MUST NOT be exposed to third-party iframes.
…- If the iframe is a third party to the top-level secure origin, it SHOULD be blocked.
Should third party iframes always be blocked? Note that this requirement would break dapps like Gnosis Safe and Dhedge that embed exchanges in their web apps to facilitate trading on them with their smart contract wallet/investment pool.