Simon Willison Blog·Research·1d ago·~1 min read
CSP Allow-list Experiment
13th May 2026
An experiment that shows that you can load an app in a CSP-protected sandboxed iframe (see previous note) and have a custom fetch()
that intercepts CSP errors and passes them up to the parent window... which can then prompt the user to add that domain to an allow-list and then refresh the page.
I built this one with GPT-5.5 xhigh running in the Codex desktop app.
Recent articles
- Notes on the xAI/Anthropic data center deal - 7th May 2026
- Live blog: Code w/ Claude 2026 - 6th May 2026
- Vibe coding and agentic engineering are getting closer than I'd like - 6th May 2026