content-security-policy

content-security-policy, iframes, Security

CSP Allow-list Experiment

Simon Willison / May 13, 2026

Tool: CSP Allow-list Experiment
An experiment that shows that you can load an app in a CSP-protected sandboxed iframe (see previous note) and have a custom fetch() that intercepts CSP errors and passes them up to the parent window…

content-security-policy, iframes, JavaScript, sandboxing, Security

Can JavaScript Escape a CSP Meta Tag Inside an Iframe?

Simon Willison / April 3, 2026

Research: Can JavaScript Escape a CSP Meta Tag Inside an Iframe?
In trying to build my own version of Claude Artifacts I got curious about options for applying CSP headers to content in sandboxed iframes without using a separate domain to host…