Public
Like
iframe-csp
Val Town is a collaborative website to build and scale JavaScript apps.
Deploy APIs, crons, & store data – all from the browser, and deployed in milliseconds.
A simple demonstration of Content Security Policy (CSP) frame-src directive behavior with different configurations.
-
Test 1 (
/test1) - CSP:frame-src 'none'- Attempts to embed https://paul.kinlan.me (should be blocked)
-
Test 2 (
/test2) - CSP:frame-src 'self'- Embeds a same-origin page (should work)
- Attempts to embed https://paul.kinlan.me (should be blocked)
-
Test 3 (
/test3) - CSP:frame-src 'self'- Embeds a same-origin page that contains an iframe to https://paul.kinlan.me
- Attempts to embed https://paul.kinlan.me directly (should be blocked)
backend/index.ts- Main Hono server with CSP headersfrontend/- Static HTML pages for each testfrontend/hello.html- Simple hello world page (no iframes)frontend/hello-with-iframe.html- Hello world page with iframe to external sitefrontend/hello-with-nested-srcdoc.html- Hello world page with srcdoc containing external iframe