CSP Allow-List Experiment Bypasses Sandboxed Iframe Restrictions
On May 13, 2026, Simon Willison unveiled an experiment showcasing a method to load an application inside a CSP-protected sandboxed iframe. This approach employs a tailored fetch() function that captures CSP errors and relays them to the parent window, prompting users to include the blocked domain in an allow-list and refresh the page. The experiment utilized GPT-5.5 xhigh operating within the Codex desktop application. Additionally, Willison provides a sponsored monthly email summary for $10/month, highlighting significant advancements in LLM technology.
Key facts
- Experiment demonstrates loading app in CSP-protected sandboxed iframe
- Custom fetch() intercepts CSP errors and passes them to parent window
- Parent window prompts user to add domain to allow-list and refresh
- Built with GPT-5.5 xhigh in Codex desktop app
- Published by Simon Willison on 13th May 2026
- Sponsorship available for $10/month for curated LLM digest
Entities
Institutions
- Codex