Public
Like
iframe-csp
Val Town is a collaborative website to build and scale JavaScript apps.
Deploy APIs, crons, & store data β all from the browser, and deployed in milliseconds.
Viewing readonly version of main branch: v31View latest version
A simple demonstration of Content Security Policy (CSP) frame-src directive behavior with different configurations.
-
Test 1 (
/test1) - CSP:frame-src 'none'- Attempts to embed https://paul.kinlan.me (should be blocked)
-
Test 2 (
/test2) - CSP:frame-src 'self'- Embeds a same-origin page (should work)
- Attempts to embed https://paul.kinlan.me (should be blocked)
-
Test 3 (
/test3) - CSP:frame-src 'self'- Embeds a same-origin page that contains an iframe to https://paul.kinlan.me
- Attempts to embed https://paul.kinlan.me directly (should be blocked)
-
Test 3 (srcdoc) (
/test3-srcdoc) - CSP:frame-src 'self'- Uses
srcdocattribute to embed HTML content directly in iframe - The srcdoc content contains an iframe to https://paul.kinlan.me
- Attempts to embed https://paul.kinlan.me directly (should be blocked)
- Uses
-
Test 3 (Nested srcdoc) (
/test3-nested-srcdoc) - CSP:frame-src 'self'- Triple-nested scenario: same-origin iframe β srcdoc iframe β external iframe
- Tests CSP inheritance through multiple iframe nesting levels
- External iframe at the deepest level should be blocked
backend/index.ts- Main Hono server with CSP headersfrontend/- Static HTML pages for each testfrontend/hello.html- Simple hello world page (no iframes)frontend/hello-with-iframe.html- Hello world page with iframe to external site