🔒 安全
CSP白名单实验:通过iframe沙箱实现动态内容加载控制CSP Allow-list Experiment
该实验展示了一种在受 CSP 保护的限制性 iframe 中运行应用的新方法,通过自定义 fetch() 拦截 CSP 错误并上报至父窗口。用户可在确认后将被阻止域名加入允许列表,系统随后刷新页面以解除限制。此方案为跨域资源加载提供了灵活且安全的用户可控机制。
Simon Willison
13th May 2026
Tool CSP Allow-list Experiment
An experiment that shows that you can load an app in a CSP-protected sandboxed iframe (see previous note) and have a custom fetch() that intercepts CSP errors and passes them up to the parent window... which can then prompt the user to add that domain to an allow-list and then refresh the page.
I built this one with GPT-5.5 xhigh running in the Codex desktop app.
Posted 13th May 2026 at 4:50 am
需要完整排版与评论请前往来源站点阅读。