CSP Allow-list Experiment

In three linesSimon Willison presents an experimental tool that loads an app in a CSP-protected sandboxed iframe with a custom fetch() intercepting CSP errors and passing them to the parent window to dynamically add domains to the allow-list. Built with GPT-5.5 xhigh in Codex.

Summary generated by Claude — human-verified