Simon Willison presents an experimental approach to handling Content Security Policy (CSP) restrictions by using a sandboxed iframe with custom fetch interception. The system detects CSP errors, prompts users to add domains to an allow-list, and refreshes the page. The project was built using GPT-5.5 xhigh in the Codex desktop app, demonstrating innovative use of AI in web security solutions.
Background
Content Security Policy (CSP) is a security standard that helps prevent cross-site scripting (XSS) and other code injection attacks by specifying which dynamic resources are allowed to load. Sandboxed iframes provide an additional layer of security by restricting the capabilities of embedded content.
- Source
- Simon Willison
- Published
- May 13, 2026 at 12:50 PM
- Score
- 6.0 / 10