Heads up! This blog post hasn't been updated in over 2 years. CodePen is an ever changing place, so if this post references features, you're probably better off checking the docs. Get in touch with support if you have further questions.

A few weeks ago we rolled out Content Security Policy on CodePen. You can read more about CSP here. It’s technology in modern web browsers that helps increase security.

One of the most important things it can do is stop XSS (“Cross-Site Scripting” – basically stealing cookies). It does this by totally eliminating the possibility of executing “inline” JavaScript (e.g. <script>alert(document.cookie);</script>). We do everything we can to prevent scripts from being injected anywhere on CodePen, and will continue to, but if something slips through, it can’t execute anyway in browsers that support CSP. That’s a pretty nice security upgrade!

If you happen to notice anything behaving funky after this change, definitely let us know. There were some warts right after it went out and there might still be a few. For instance, we just fixed on where Instapaper wouldn’t work on blog posts, because CSP was stopping the script (fixed now).