Can JavaScript Escape a CSP Meta Tag Inside an Iframe?

📰 Simon Willison's Blog

Research: Can JavaScript Escape a CSP Meta Tag Inside an Iframe? In trying to build my own version of Claude Artifacts I got curious about options for applying CSP headers to content in sandboxed iframes without using a separate domain to host the files. Turns out you can inject tags at the top of the iframe content and th

Published 3 Apr 2026
Read full article → ← Back to Reads