@gwidion it looks to me like https://claude.ai has...

@gwidion it looks to me like https://claude.ai has a robust solution to this, using a combination of iframes with the sandbox attribute and CSP headers, plus web workers with CSP headers and careful application of postMessage

I'm still trying to reverse engineer how their solutions work though

Like 26 October at 3:42 | Open on fedi.simonwillison.net