This is a simple website for testing Content Security Policy (CSP) permissions with iframes.

• Displays a webpage with text "Below is an iframe"
• Contains an iframe with srcdoc content that has:
  • Blue background
  • Black text saying "hello from iframe"
• Served with multiple CSP headers to prevent iframe rendering

• /frontend/index.html - Main HTML page with embedded iframe
• /backend/index.ts - Hono server that serves the HTML with CSP headers

The website is served with multiple CSP directives designed to prevent iframe rendering:

• frame-src 'none' - Blocks loading frames from any source
• child-src 'none' - Blocks web workers and nested browsing contexts
• object-src 'none' - Blocks plugins like Flash, Java applets
• sandbox - Applies sandbox restrictions (very restrictive)

Important Note: srcdoc iframes contain inline content rather than loading from external sources, so they may still render despite frame-src 'none'. The sandbox directive is the most likely to prevent rendering, but browser behavior can vary.

Visit the HTTP endpoint to see the iframe test in action and observe how the browser handles the CSP policy with srcdoc iframes.