A simple demonstration of Content Security Policy (CSP) frame-src directive behavior with different configurations.

1. Test 1 (/test1) - CSP: frame-src 'none'

   • Attempts to embed https://paul.kinlan.me (should be blocked)

2. Test 2 (/test2) - CSP: frame-src 'self'

   • Embeds a same-origin page (should work)
   • Attempts to embed https://paul.kinlan.me (should be blocked)

3. Test 3 (/test3) - CSP: frame-src 'self'

   • Embeds a same-origin page that contains an iframe to https://paul.kinlan.me
   • Attempts to embed https://paul.kinlan.me directly (should be blocked)

• backend/index.ts - Main Hono server with CSP headers
• frontend/ - Static HTML pages for each test
• frontend/hello.html - Simple hello world page (no iframes)
• frontend/hello-with-iframe.html - Hello world page with iframe to external site
• frontend/hello-with-nested-srcdoc.html - Hello world page with srcdoc containing external iframe