Vibe Coding
CSP Meta Tag Sandboxing Confirmed: JavaScript Cannot Escape Content Security Policy Inside an Iframe
Simon Willison's security research confirms that CSP policies set via HTML meta tags persist even when untrusted JavaScript attempts to remove or modify them inside sandboxed iframes. Scripts injected into the page cannot bypass the policy by deleting the meta element — the browser enforces the snapshot taken at parse time. This is directly relevant to securing AI artifact renderers (like Claude Artifacts) where user-generated or AI-generated code runs in sandboxed contexts.
↳ Follow the thread