vietnam crab exportersoft-shell crab

Simon Willison’s Weblog

Subscribe

Wednesday, 13th May 2026

Sighting 5:15 PM – 5:21 PM — Cedar Waxwing, California Scrub-Jay
Cedar Waxwing
Cedar Waxwing
Cedar Waxwing
Cedar Waxwing
California Scrub-Jay
California Scrub-Jay
13th May 2026
Tool CSP Allow-list Experiment

An experiment that shows that you can load an app in a CSP-protected sandboxed iframe (see previous note) and have a custom fetch() that intercepts CSP errors and passes them up to the parent window... which can then prompt the user to add that domain to an allow-list and then refresh the page.

Screenshot of a web tool titled "CSP Allow-list Experiment" with buttons Reset sample, Clear allow-list, Refresh preview. Left panel shows HTML source code starting with <!doctype html>. Right panel shows Preview with CSP header default-src 'none'; script-src 'unsafe-inline'; style-s... and heading "Sandbox fetch test". A modal dialog from tools.simonwillison.net is overlaid reading: "The sandbox tried to connect to: https://api.inaturalist.org Add this origin to the CSP connect-src allow-list and refresh the page?" with an unchecked checkbox "Don't allow tools.simonwillison.net to prompt you again" and Cancel and OK buttons. Below is "Messages from sandbox" showing fetch-catch blocked https://api.inaturalist.org/v1/observations?per... connect-src · https://api.inaturalist.org. At the bottom left is "Allowed fetch() origins" with an input field containing https://api.github.com, an Add button, and a tag https://api.github.com x.

I built this one with GPT-5.5 xhigh running in the Codex desktop app.

13th May 2026, 4:50 am · iframes, security, content-security-policy

“11 AI agents” is meaningless as a phrase.

If I said “I have 11 spreadsheets” or “I have 11 browser tabs” to do my work, it means about the same thing.

Boris Mann

# 4:15 pm / ai, ai-agents, agent-definitions

Tuesday, 12th May 2026

2026 » May

MTWTFSS
    123
45678910
11121314151617
18192021222324
25262728293031