Datasette Apps sandbox untrusted HTML inside your database tool

Simon Willison has released datasette-apps, a plugin that lets self-contained HTML and JavaScript applications run directly inside a Datasette instance. The apps live in a tightly restricted iframe and talk to Datasette to run read-only SQL queries, with optional write access mediated through allow-listed stored queries. The pitch is essentially Claude Artifacts backed by a persistent relational database — interactive frontends that can query and update real data without a separate backend.

The interesting engineering is in the security model. Because an authenticated Datasette can hold sensitive data, the apps run as untrusted code under an iframe sandbox that blocks DOM, cookie, and localStorage access, plus an injected Content-Security-Policy meta header that prevents outbound requests to other hosts — closing the data-exfiltration hole the sandbox alone leaves open. A useful detail Willison confirmed is that once set via a meta tag, the CSP is immutable for that frame, so malicious script can’t strip it. Communication back to the parent uses a MessageChannel-based protocol (hardened over plain postMessage on an LLM tool’s suggestion) that only permits an allow-list of operations and closes automatically on navigation. Query and CSP errors are surfaced in a visible log to make iterating on apps easier.

The feature is deliberately LLM-friendly: the create-app form ships a copyable prompt containing the database schema so a model can generate working app code, and Datasette Agent users get tools to create and edit apps in place. Willison notes the project itself was built with heavy AI assistance across Claude and GPT-5.5, and frames it as turning his long-running ‘vibe-coded HTML tools’ habit into a core Datasette capability.