Tool: CSP Allow-list Experiment (https://tools.simonwillison.net/csp-allow)

    An experiment that shows that you can load an app in a CSP-protected sandboxed iframe (see previous note (https://simonwillison.net/2026/Apr/3/test-csp-iframe-escape/)) and have a custom fetch() that intercepts CSP errors and passes them up to the parent window... which can then prompt the user to add that domain to an allow-list and then refresh the page.

I built this one with GPT-5.5 xhigh running in the Codex desktop app.

    Tags: content-security-policy (https://simonwillison.net/tags/content-security-policy), iframes (https://simonwillison.net/tags/iframes), security (https://simonwillison.net/tags/security)