Tool: CSP Allow-list Experiment

Tool

CSP Allow-list Experiment

— Experiment with Content Security Policy (CSP) allow-lists by editing HTML code in the left panel and observing how network requests are handled in the sandboxed preview on the right. Add trusted origins to the connect-src allow-list, and the application will prompt you to approve blocked requests from the sandbox, automatically updating your CSP configuration. This tool helps developers understand how CSP policies control resource loading and test dynamic allow-list management in real-time.

An experiment that shows that you can load an app in a CSP-protected sandboxed iframe (see previous note) and have a custom fetch() that intercepts CSP errors and passes them up to the parent window... which can then prompt the user to add that domain to an allow-list and then refresh the page.

I built this one with GPT-5.5 xhigh running in the Codex desktop app.

Tool: CSP Allow-list Experiment

Other newsrooms on this story

Related reading

Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148 –…

Vulnerability in Perplexity’s BrowseSafe shows why single models can’t stop…

The Cloudflare Blog: Sandbox

Control where your AI agents can browse with Chrome enterprise policies on…

Stop Pasting URLs into Security Header Sites - Use This CLI

What Really Happens After SCC Admission in OpenShift?