Simon Willison’s Weblog

Subscribe

Wednesday, 13th May 2026

Sighting 5:15 PM – 5:21 PM — Cedar Waxwing, California Scrub-Jay, in San Mateo County, CA, US
Cedar Waxwing
Cedar Waxwing
Cedar Waxwing
Cedar Waxwing
California Scrub-Jay
California Scrub-Jay
13th May 2026
Tool CSP Allow-list Experiment

An experiment that shows that you can load an app in a CSP-protected sandboxed iframe (see previous note) and have a custom fetch() that intercepts CSP errors and passes them up to the parent window... which can then prompt the user to add that domain to an allow-list and then refresh the page.

Screenshot of a web tool titled "CSP Allow-list Experiment" with buttons Reset sample, Clear allow-list, Refresh preview. Left panel shows HTML source code starting with <!doctype html>. Right panel shows Preview with CSP header default-src 'none'; script-src 'unsafe-inline'; style-s... and heading "Sandbox fetch test". A modal dialog from tools.simonwillison.net is overlaid reading: "The sandbox tried to connect to: https://api.inaturalist.org Add this origin to the CSP connect-src allow-list and refresh the page?" with an unchecked checkbox "Don't allow tools.simonwillison.net to prompt you again" and Cancel and OK buttons. Below is "Messages from sandbox" showing fetch-catch blocked https://api.inaturalist.org/v1/observations?per... connect-src · https://api.inaturalist.org. At the bottom left is "Allowed fetch() origins" with an input field containing https://api.github.com, an Add button, and a tag https://api.github.com x.

I built this one with GPT-5.5 xhigh running in the Codex desktop app.

13th May 2026, 4:50 am · iframes, security, content-security-policy

“11 AI agents” is meaningless as a phrase.

If I said “I have 11 spreadsheets” or “I have 11 browser tabs” to do my work, it means about the same thing.

Boris Mann

# 4:15 pm / ai, ai-agents, agent-definitions

Sighting 10:41 AM – 10:44 AM — Surf Scoter, Western Gull, in Monterey Bay National Marine Sanctuary, CA, US, CA
Surf Scoter
Surf Scoter
Western Gull
Western Gull
13th May 2026

Welcome to the Datasette blog. We have a bunch of neat Datasette announcements in the pipeline so we decided it was time the project grew an official blog.

I built this using OpenAI Codex desktop, which turns out to have the Markdown session transcript export feature I've always wanted. Here's the session that built the blog. See also issue 179.

# 11:59 pm / ai, datasette, generative-ai, llms, ai-assisted-programming, codex

Tuesday, 12th May 2026
Thursday, 14th May 2026

2026 » May

MTWTFSS
    123
45678910
11121314151617
18192021222324
25262728293031