Can JavaScript Escape a CSP Meta Tag Inside an Iframe?

Simon Willison’s Weblog Subscribe Sponsored by: WorkOS — Production-ready APIs for auth and access control, so you can ship faster. RESEARCH Can JavaScript Escape a CSP Meta Tag Inside an Iframe? — JavaScript running inside a `sandbox="allow-scripts"` iframe cannot escape or disable a `<meta http-equiv="Content-Security-Policy">` tag, even through removal, modification, or document replacement. Extensive testing across Chromium and Firefox confirmed that CSP policies defined via meta tags are enforced at parse time, and persist even when the iframe is navigated to a data: URI. In trying to build my own version of Claude Artifacts I got curious about options for applying CSP headers to content in sandboxed iframes without using a separate domain to host the files. Turns out you can inject <meta http-equiv="Content-Security-Policy"...> tags at the top of the iframe content and they'll be obeyed even if subsequent untrusted JavaScript tries to manipulate them. Posted 3rd April 2026 at 4:05 pm Recent articles The Axios supply chain attack used individually targeted social engineering - 3rd April 2026 Highlights from my conversation about agentic engineering on Lenny's Podcast - 2nd April 2026 Mr. Chatterbox is a (weak) Victorian-era ethically trained model you can run on your own computer - 30th March 2026 This is a beat by Simon Willison, posted on 3rd April 2026. iframes 22 javascript 750 sandboxing 37 security 589 content-security-policy 10 Monthly briefing Sponsor me for $10/month and get a curated email digest of the month's most important LLM developments. Pay me to send you less! Sponsor & subscribe Disclosures Colophon © 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026