Research: Can JavaScript Escape a CSP Meta Tag Inside an Iframe? (https://github.com/simonw/research/tree/main/test-csp-iframe-escape#readme)

In trying to build my own version of Claude Artifacts I got curious about options for applying CSP headers to content in sandboxed iframes without using a separate domain to host the files. Turns out you can inject <meta http-equiv="Content-Security-Policy"...> tags at the top of the iframe content and they'll be obeyed even if subsequent untrusted JavaScript tries to manipulate them.


    Tags: iframes (https://simonwillison.net/tags/iframes), security (https://simonwillison.net/tags/security), javascript (https://simonwillison.net/tags/javascript), content-security-policy (https://simonwillison.net/tags/content-security-policy), sandboxing (https://simonwillison.net/tags/sandboxing)