Experiment with Content Security Policy (CSP) allow-lists by modifying the HTML code in the left panel and watching how network requests are processed in the isolated preview pane on the right. Add approved origins to the connect-src allow-list. This will cause the app to prompt you for approval of any blocked sandbox requests and automatically update your CSP settings accordingly. This tool helps developers understand how CSP policies control resource loading and experiment with dynamic allow-list management in real time. It demonstrates loading an application inside a CSP-protected sandboxed iframe (see previous note), using a custom fetch() that catches CSP violations and forwards them to the parent window. The parent can then prompt the user to add the blocked domain to an allow-list and reload the page. I built this with GPT-5.5 xhigh in the Codex desktop app.
Simon Willison’s Weblog