CSP Allow-list Experiment

Tool: CSP Allow-list Experiment

An experiment that shows that you can load an app in a CSP-protected sandboxed iframe (see previous note) and have a custom fetch() that intercepts CSP errors and passes them up to the parent window… which can then prompt the user to add that domain to an allow-list and then refresh the page.

Screenshot of a web tool titled "CSP Allow-list Experiment" with buttons Reset sample, Clear allow-list, Refresh preview. Left panel shows HTML source code starting with <!doctype html>. Right panel shows Preview with CSP header default-src 'none'; script-src 'unsafe-inline'; style-s... and heading "Sandbox fetch test". A modal dialog from tools.simonwillison.net is overlaid reading: "The sandbox tried to connect to: https://api.inaturalist.org Add this origin to the CSP connect-src allow-list and refresh the page?" with an unchecked checkbox "Don't allow tools.simonwillison.net to prompt you again" and Cancel and OK buttons. Below is "Messages from sandbox" showing fetch-catch blocked https://api.inaturalist.org/v1/observations?per... connect-src · https://api.inaturalist.org. At the bottom left is "Allowed fetch() origins" with an input field containing https://api.github.com, an Add button, and a tag https://api.github.com x.

I built this one with GPT-5.5 xhigh running in the Codex desktop app.

Tags: content-security-policy, iframes, security

Liked Liked