惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Engineering at Meta
Engineering at Meta
T
Threatpost
P
Palo Alto Networks Blog
NISL@THU
NISL@THU
O
OpenAI News
Project Zero
Project Zero
G
GRAHAM CLULEY
P
Privacy International News Feed
A
Arctic Wolf
Microsoft Azure Blog
Microsoft Azure Blog
H
Help Net Security
M
MIT News - Artificial intelligence
T
Threat Research - Cisco Blogs
S
Security @ Cisco Blogs
Google DeepMind News
Google DeepMind News
B
Blog RSS Feed
D
Docker
aimingoo的专栏
aimingoo的专栏
博客园 - 【当耐特】
N
Netflix TechBlog - Medium
云风的 BLOG
云风的 BLOG
雷峰网
雷峰网
W
WeLiveSecurity
P
Proofpoint News Feed
腾讯CDC
Cloudbric
Cloudbric
S
Secure Thoughts
C
Check Point Blog
博客园 - Franky
T
The Exploit Database - CXSecurity.com
T
Troy Hunt's Blog
GbyAI
GbyAI
Security Archives - TechRepublic
Security Archives - TechRepublic
Application and Cybersecurity Blog
Application and Cybersecurity Blog
月光博客
月光博客
C
Cyber Attacks, Cyber Crime and Cyber Security
I
Intezer
TaoSecurity Blog
TaoSecurity Blog
L
Lohrmann on Cybersecurity
V
Visual Studio Blog
F
Fortinet All Blogs
博客园 - 叶小钗
C
CXSECURITY Database RSS Feed - CXSecurity.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recorded Future
Recorded Future
C
Cisco Blogs
博客园 - 司徒正美
Stack Overflow Blog
Stack Overflow Blog
Y
Y Combinator Blog
Apple Machine Learning Research
Apple Machine Learning Research

Simon Willison's Weblog

Release: datasette 1.0a29 Thoughts on GitLab’s workforce reduction A quote from James Shore Your AI Use Is Breaking My Brain TIL: Using LLM in the shebang line of a script Learning on the Shop floor A quote from New York Times Editors’ Note A quote from Andrew Quinn A quote from Luke Curley Release: llm-gemini 0.31 Tool: Big Words Behind the Scenes Hardening Firefox with Claude Mythos Preview Notes on the xAI/Anthropic data center deal Tool: GitHub Repo Stats Live blog: Code w/ Claude 2026 Vibe coding and agentic engineering are getting closer than I’d like Release: datasette-referrer-policy 0.1 Release: datasette-llm 0.1a7 Release: llm-echo 0.5a0 Granite 4.1 3B SVG Pelican Gallery A quote from Andy Masley April 2026 newsletter Research: TRE Python binding — ReDoS robustness demo Tool: Redis Array Playground A quote from Anthropic Sightings iNaturalist Sightings Codex CLI 0.128.0 adds /goal Our evaluation of OpenAI's GPT-5.5 cyber capabilities Quoting Andrew Kelley We need RSS for sharing abundant vibe-coded apps Release: llm 0.32a1 LLM 0.32a0 is a major backwards-compatible refactor Release: llm 0.32a0 Quoting OpenAI Codex base_instructions Quoting Matthew Yglesias What's new in pip 26.1 - lockfiles and dependency cooldowns! Introducing talkie: a 13B vintage language model from 1930 microsoft/VibeVoice Tracking the history of the now-deceased OpenAI Microsoft AGI clause WHY ARE YOU LIKE THIS Quoting Romain Huet GPT-5.5 prompting guide llm 0.31 DeepSeek V4 - almost on the frontier, a fraction of the price Tool: Millisecond Converter It's a big one russellromney/honker Serving the For You feed Extract PDF text in your browser with LiteParse for the web A pelican for GPT-5.5 via the semi-official Codex backdoor API Release: llm-openai-via-codex 0.1a0 Quoting Maggie Appleton A quote from Bobby Holley Is Claude Code going to cost $100/month? Probably not—it’s all very confusing Where’s the raccoon with the ham radio? (ChatGPT Images 2.0) A quote from Andreas Påhlsson-Notini scosman/pelicans_riding_bicycles Release: llm-openrouter 0.6 TIL: SQL functions in Google Sheets to fetch data from Datasette Claude Token Counter, now with model comparisons Headless everything for personal AI Research: Claude system prompts as a git timeline Adding a new content type to my blog-to-newsletter tool - Agentic Engineering Patterns Join us at PyCon US 2026 in Long Beach—we have new AI and security tracks this year Release: datasette 1.0a28 Release: llm-anthropic 0.25 Qwen3.6-35B-A3B on my laptop drew me a better pelican than Claude Opus 4.7 Tool: datasette.io news preview Release: datasette-export-database 0.3a1 Release: datasette 1.0a27 Gemini 3.1 Flash TTS Tool: Gemini 3.1 Flash TTS A quote from Kyle Kingsbury Release: datasette-ports 0.3 Zig 0.16.0 release notes: “Juicy Main” datasette PR #2689: Replace token-based CSRF with Sec-Fetch-Site header protection Tool: SQLite Query Result Formatter Demo Tool: SQLite Query Result Formatter Demo A quote from Giles Turnbull A quote from Giles Turnbull Research: SQLite WAL Mode Across Docker Containers Sharing a Volume Research: SQLite WAL Mode Across Docker Containers Sharing a Volume Tool: Cleanup Claude Code Paste Release: datasette-ports 0.1 Eight years of wanting, three months of building with AI A quote from Chengpeng Mou Tool: Syntaqlite Playground Release: scan-for-secrets 0.2 Release: scan-for-secrets 0.1.1 Release: scan-for-secrets 0.1 Release: research-llm-apis 2026-04-04 A quote from Kyle Daigle Vulnerability Research Is Cooked The cognitive impact of coding agents A quote from Willy Tarreau A quote from Daniel Stenberg A quote from Greg Kroah-Hartman The Axios supply chain attack used individually targeted social engineering Highlights from my conversation about agentic engineering on Lenny’s Podcast
Research: Can JavaScript Escape a CSP Meta Tag Inside an Iframe?
2026-04-03 · via Simon Willison's Weblog

Research Can JavaScript Escape a CSP Meta Tag Inside an Iframe? — JavaScript running inside a `sandbox="allow-scripts"` iframe cannot escape or disable a `<meta http-equiv="Content-Security-Policy">` tag, even through removal, modification, or document replacement. Extensive testing across Chromium and Firefox confirmed that CSP policies defined via meta tags are enforced at parse time, and persist even when the iframe is navigated to a data: URI.

In trying to build my own version of Claude Artifacts I got curious about options for applying CSP headers to content in sandboxed iframes without using a separate domain to host the files. Turns out you can inject <meta http-equiv="Content-Security-Policy"...> tags at the top of the iframe content and they'll be obeyed even if subsequent untrusted JavaScript tries to manipulate them.