Can JavaScript Escape a CSP Meta Tag Inside an Iframe?

Simon Willison Blog
Generative AI

Research: Can JavaScript Escape a CSP Meta Tag Inside an Iframe? In trying to build my own version of Claude Artifacts I got curious about options for applying CSP headers to content in sandboxed iframes without using a separate domain to host the files. Turns out you can inject

Read Full Article