Posted on

Changed Domains for Iframe Previews

Note: You probably don't need to know any of this and hopefully didn't even notice it.

We used to use the domain s.codepen.io to render previews of the code you write. In the Pen Editor, Details View, Full Page View, and more. Using a different domain (a subdomain in this case) is a very important security aspect of CodePen. If we were executing the code you write on codepen.io itself, that's essentially one massive XSS vulnerability.

We've now updated those same preview iframes to be an entirely different domain. This provides a little bit more security. For example:

  • Extra-eager password managers won't drop your saved CodePen login and password into Pens that are just demonstrating a <form> design.
  • There was a rare bug where users would get logged out because their cookie-storage would get over-stuffed from unusual Pens putting things there.

At the moment, we're using cdpn.io as the domain name for the iframe previews, but this may change at any time. We've re-architected this so it's easier for us to move around as needed.

The only reason this might affect you is if you happen to be someone who has written code to detect if the Pen is rendering in a preview area or in a grid and do different things. If you were specifically, for example, regexing the domain name of the iframe for the existence of s.codepen.io and other pathing information, that maybe be broken now. I'm afraid we can't promise the domain name previews render at going forward. At the moment, the path /fullpage/ is included in the URL which was used before and is still used now, but even that I wouldn't absolutely count on. And remember, I'm just talking about internal iframe URLs that are never publicly exposed. You'd have to be digging around in DevTools to see them anyway, so this is only relevant for you deep internals hackers anyway 😉

Another thing to be aware of is our no-referrer policy for rendering iframes. These internal URLs are meant to only be rendered inside iframes and by codepen.io itself (otherwise it's a security issue), so we require the request for these URLs to include a referrer. If not, you'll see an error page. We've seen a bit of a rise in people seeing this error. Some are legit (you need to send a referrer, no exceptions). But some are a little trickier to sort out. If you're seeing this particular error, and you think it's a mistake, hit us up in support.

The post Changed Domains for Iframe Previews appeared first on CodePen Blog.

Posted on

Anonymous Pen Save Option Removed

As of today, an account is required to save any content on CodePen.

In the past, it was possible to save a Pen without logging in. The Pen was saved “anonymously”, with no association to a CodePen account and no creator attribution.

Why?

Spammers, scammers, and others seeking to cause harm on the web abused the anonymous save feature. An overwhelming amount of anonymous saves included spam/scam content or otherwise went against our Code of Conduct and Terms of Service. Over the past year, the volume and severity of abusive content increased.

Additionally, anonymous save created problems for people who unintentionally saved Pens without logging in. Some people would lose track of work because it wasn’t associated with their account. Others posted things they didn’t mean to share publicly, not aware that they would not be able to edit the anonymous Pen later.

CodePen offers free accounts. People are better off saving Pens to accounts anyway so they can be found again and edited if need be. Plus more of the full feature set of CodePen will be available (like Full Page View) which wasn't available for anonymous Pens.

When?

Now. Since so many anonymous saves were abusive, we made the decision not to give advance notice of this change to avoid tipping off abusers.

I don’t want to use my real name on CodePen. Do I have to now?

No. We removed the option to save a Pen without a CodePen account, but you do not have to use your real name on CodePen. You are welcome to use CodePen under a pseudonym. We have more details on that in our Privacy Policy.

I saved some anonymous Pens. What will happen to them?

Though we don’t plan to delete every anonymous Pen ever created, we do frequently update our spam detection. Any existing anonymous Pens that gets flagged as spam in the future will be deleted automatically.

If you have an anonymous Pen that you would like to keep, you should fork or copy that Pen into your CodePen account.

I save anonymously to keep some Pens out of my profile. What should I do now?

We understand that use case and wish we could still support it, but the abuse made this option unsustainable.

We have lots of features to help you manage your CodePen content. Here are some options to consider:

  • Delete the Pen when it’s no longer needed. We even have an option to restore deleted Pens shortly after deleting if you change your mind.
  • Make the Pen private. You can share a private Pen with anyone by giving them a direct link to the Pen, but it won’t show in your profile and can’t be found in search.
  • Give the Pen a tag, like “temporary”, to make it easier to find and delete it later.
  • If you make a lot of temporary Pens, group them into a Collection to keep them together in one spot.
  • Pin a “scratchpad” Pen to your pinned items, and use it for throwaway work as needed.

The post Anonymous Pen Save Option Removed appeared first on CodePen Blog.