The Bottom Line: Developers can experiment in a sandboxed environment how CSP policies filter network requests and dynamically add approved origins to the connect-src allow-list.
An interactive tool enables developers to test Content Security Policy (CSP) directives in real-time and understand how allow-lists govern resource loading. By modifying HTML code, blocked requests can be tracked and selectively permitted.
The experiment offers a split-view interface: the left panel allows editing of HTML code, while the right panel executes an isolated preview with CSP protection. Users can add origins to the connect-src allow-list and immediately observe how behaviour changes.
The technical implementation uses a custom fetch() wrapper that intercepts CSP violations and forwards them to the parent window. These violations are then reported to the application, allowing blocked domains to be interactively added to the allow-list and the page reloaded. The concept demonstrates both sandbox isolation and practical CSP management in a controlled environment.
The tool was developed with GPT-5.5 xhigh in the Codex Desktop application and originates from a contribution by Simon Willison. For practitioners, it is a practical means to understand and optimize CSP policies without having to set up complex configurations locally.
Source: ainews-dev.lumi-systems.io · Published 13 May 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.5.2.