If you’re a CodePen user, this shouldn’t affect you aside from potentially seeing some console noise while we work this out. Carry on! At CodePen we have Embedded Pens which are shown in an <iframe> . These contain user-authored code served from a non-same-origin URL. We like to be both safe and as permissive as possible with what we allow users to build and test. The sandbox attribute helps us with safety and while there are some issues with it that we’ll get to later , this is mostly about the allow attribute. Say a user wants to use the navigator.clipboard.writeText() API. So they write JavaScript like: button.onclick = async () => { try { await navigator.clipboard.writeText( `some text` ); console .log( 'Content copied to clipboard' ); } catch (err) { console .error( 'Failed to copy: ' , err); } } Code language: JavaScript ( javascript ) The Embedded Pen is placed on arbitrary origins, for example: chriscoyier.net .…