Research confirms that JavaScript in sandboxed iframes cannot bypass CSP meta tags, even through DOM manipulation or navigation to data URIs. This provides a reliable security mechanism for embedding untrusted content without separate domains. The findings were validated across Chromium and Firefox browsers.
Background
Content Security Policy (CSP) is a security standard that helps prevent cross-site scripting attacks by restricting resources a page can load. Sandboxed iframes are commonly used to isolate untrusted content while allowing limited functionality.
- Source
- Simon Willison
- Published
- Apr 4, 2026 at 12:05 AM
- Score
- 6.0 / 10