惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LINUX DO - 最新话题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
PCI Perspectives
PCI Perspectives
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
H
Heimdal Security Blog
S
Security @ Cisco Blogs
N
News | PayPal Newsroom
J
Java Code Geeks
罗磊的独立博客
Security Archives - TechRepublic
Security Archives - TechRepublic
N
News and Events Feed by Topic
V
V2EX
WordPress大学
WordPress大学
Google Online Security Blog
Google Online Security Blog
N
News and Events Feed by Topic
www.infosecurity-magazine.com
www.infosecurity-magazine.com
月光博客
月光博客
AI
AI
小众软件
小众软件
The GitHub Blog
The GitHub Blog
MongoDB | Blog
MongoDB | Blog
A
Arctic Wolf
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
美团技术团队
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Hacker News - Newest:
Hacker News - Newest: "LLM"
T
Tailwind CSS Blog
S
Schneier on Security
博客园 - 三生石上(FineUI控件)
F
Full Disclosure
B
Blog RSS Feed
Forbes - Security
Forbes - Security
S
SegmentFault 最新的问题
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
人人都是产品经理
人人都是产品经理
云风的 BLOG
云风的 BLOG
Jina AI
Jina AI
Cisco Talos Blog
Cisco Talos Blog
U
Unit 42
Project Zero
Project Zero
H
Hacker News: Front Page
Y
Y Combinator Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
The Cloudflare Blog
大猫的无限游戏
大猫的无限游戏
S
Secure Thoughts
The Hacker News
The Hacker News
Microsoft Azure Blog
Microsoft Azure Blog

Simon Willison's Weblog

Thoughts on GitLab’s workforce reduction A quote from James Shore Your AI Use Is Breaking My Brain TIL: Using LLM in the shebang line of a script Learning on the Shop floor A quote from New York Times Editors’ Note A quote from Andrew Quinn A quote from Luke Curley Release: llm-gemini 0.31 Tool: Big Words Behind the Scenes Hardening Firefox with Claude Mythos Preview Notes on the xAI/Anthropic data center deal Tool: GitHub Repo Stats Live blog: Code w/ Claude 2026 Vibe coding and agentic engineering are getting closer than I’d like Release: datasette-referrer-policy 0.1 Release: datasette-llm 0.1a7 Release: llm-echo 0.5a0 Granite 4.1 3B SVG Pelican Gallery A quote from Andy Masley April 2026 newsletter Research: TRE Python binding — ReDoS robustness demo Tool: Redis Array Playground A quote from Anthropic Sightings iNaturalist Sightings Codex CLI 0.128.0 adds /goal Our evaluation of OpenAI's GPT-5.5 cyber capabilities Quoting Andrew Kelley We need RSS for sharing abundant vibe-coded apps Release: llm 0.32a1 LLM 0.32a0 is a major backwards-compatible refactor Release: llm 0.32a0 Quoting OpenAI Codex base_instructions Quoting Matthew Yglesias What's new in pip 26.1 - lockfiles and dependency cooldowns! Introducing talkie: a 13B vintage language model from 1930 microsoft/VibeVoice Tracking the history of the now-deceased OpenAI Microsoft AGI clause WHY ARE YOU LIKE THIS Quoting Romain Huet GPT-5.5 prompting guide llm 0.31 DeepSeek V4 - almost on the frontier, a fraction of the price Tool: Millisecond Converter It's a big one russellromney/honker Serving the For You feed Extract PDF text in your browser with LiteParse for the web A pelican for GPT-5.5 via the semi-official Codex backdoor API Release: llm-openai-via-codex 0.1a0 Quoting Maggie Appleton A quote from Bobby Holley Is Claude Code going to cost $100/month? Probably not—it’s all very confusing Where’s the raccoon with the ham radio? (ChatGPT Images 2.0) A quote from Andreas Påhlsson-Notini scosman/pelicans_riding_bicycles Release: llm-openrouter 0.6 TIL: SQL functions in Google Sheets to fetch data from Datasette Claude Token Counter, now with model comparisons Headless everything for personal AI Research: Claude system prompts as a git timeline Adding a new content type to my blog-to-newsletter tool - Agentic Engineering Patterns Join us at PyCon US 2026 in Long Beach—we have new AI and security tracks this year Release: datasette 1.0a28 Release: llm-anthropic 0.25 Qwen3.6-35B-A3B on my laptop drew me a better pelican than Claude Opus 4.7 Tool: datasette.io news preview Release: datasette-export-database 0.3a1 Release: datasette 1.0a27 Gemini 3.1 Flash TTS Tool: Gemini 3.1 Flash TTS A quote from Kyle Kingsbury Release: datasette-ports 0.3 Zig 0.16.0 release notes: “Juicy Main” datasette PR #2689: Replace token-based CSRF with Sec-Fetch-Site header protection Tool: SQLite Query Result Formatter Demo Tool: SQLite Query Result Formatter Demo A quote from Giles Turnbull A quote from Giles Turnbull Research: SQLite WAL Mode Across Docker Containers Sharing a Volume Research: SQLite WAL Mode Across Docker Containers Sharing a Volume Tool: Cleanup Claude Code Paste Release: datasette-ports 0.1 Eight years of wanting, three months of building with AI A quote from Chengpeng Mou Tool: Syntaqlite Playground Release: scan-for-secrets 0.2 Release: scan-for-secrets 0.1.1 Release: scan-for-secrets 0.1 Release: research-llm-apis 2026-04-04 A quote from Kyle Daigle Vulnerability Research Is Cooked The cognitive impact of coding agents A quote from Willy Tarreau A quote from Daniel Stenberg A quote from Greg Kroah-Hartman Research: Can JavaScript Escape a CSP Meta Tag Inside an Iframe? The Axios supply chain attack used individually targeted social engineering Highlights from my conversation about agentic engineering on Lenny’s Podcast
Tool: CSP Allow-list Experiment
2026-05-13 · via Simon Willison's Weblog

13th May 2026

An experiment that shows that you can load an app in a CSP-protected sandboxed iframe (see previous note) and have a custom fetch() that intercepts CSP errors and passes them up to the parent window... which can then prompt the user to add that domain to an allow-list and then refresh the page.

Screenshot of a web tool titled "CSP Allow-list Experiment" with buttons Reset sample, Clear allow-list, Refresh preview. Left panel shows HTML source code starting with <!doctype html>. Right panel shows Preview with CSP header default-src 'none'; script-src 'unsafe-inline'; style-s... and heading "Sandbox fetch test". A modal dialog from tools.simonwillison.net is overlaid reading: "The sandbox tried to connect to: https://api.inaturalist.org   Add this origin to the CSP connect-src allow-list and refresh the page?" with an unchecked checkbox "Don't allow tools.simonwillison.net to prompt you again" and Cancel and OK buttons. Below is "Messages from sandbox" showing fetch-catch blocked https://api.inaturalist.org/v1/observations?per... connect-src · https://api.inaturalist.org. At the bottom left is "Allowed fetch() origins" with an input field containing https://api.github.com, an Add button, and a tag https://api.github.com x.

I built this one with GPT-5.5 xhigh running in the Codex desktop app.

Posted 13th May 2026 at 4:50 am