Intended feature or potential security issue ? How to embed an iframe in talk.tiddlywiki

Hi all, I recently (a few minutes ago) noticed that it’s possible to embed a tiddlywiki file on this forum trough the iframe generated by codepen. Here’s an example :

I tried to replicate this result with codesandbox, glitch, JS Bin, JSFiddle, repl.it, stackblitz to no avail. I dont know what codepen does behind the scenes but it make tiddlywiki work, somehow.

While this is a very cool feature to have, is that intended ? Couldn’t that be potentially dangerous or at least annoying?

It seems like it could allow to execute arbitrary javascript code, for example this alert that triggers when the page refresh:

(admins, feel free to edit/delete my post to remove this iframe)

This is a cool feature! I like it!

I am not aware if this causes any security issue! but having it gives high flexibility!

On this is I see nothing … ??

Screenshot 2022-05-11 201452964×748 44.3 KB

TT

Hm, this is weird … it does work on my side :

image815×694 39.7 KB

I also tried with my smartphone and got the same result so I dont think it’s a cache issue ? I use firefox, do you use chrome or something else ?

EDIT: Chrome on android works, Edge too - but firefox is the fastest

For me works both on Chrome/Edge and FF (Win 10 / Desktop / Touchscreen)

@TiddlyTweeter Maybe you have some security settings or addon that block javascript ?

Okay so if I understand this article correctly, it seems like the real risk would be for an attacker to use an iframe as a disguised link or something and redirect the user on a malicious website. It’s not possible to remove codepen ui so the risks are low but there are probably other ways to achieve the same result without UI. it would probably be best if it was possible to force a sandbox attribute in the iframe tag to prevent top level navigation from the iframe, but I’m far from a web security expert.

At least codepen seems to prevent redirection from javascript.