I was asked about the paradoxical nature of CodePen itself recently. CodePen needs to be safe and secure, yet we accept and gleefully execute user-authored code, which is like don’t-do-that 101 in web security. Marie and I hop on the show to talk this through as an update from quite a long time ago. It’s wonderfully-terribly complicated. Part of what complicates it is that there are many different kinds of worrisome code, from malicious, to distasteful, to spam, and they all need different treatment. This is a daily and never-ending war.

Time Jumps

  • 00:27 Listener question
  • 04:09 Browsers have gotten safer
  • 06:18 Sandboxing
  • 09:31 Sound in the browser
  • 11:19 Sponsor: Notion
  • 12:21 It’s not always bad actors, but sometimes it is
  • 15:35 SEO spam
  • 19:27 The threat of Google blocking
  • 20:31 Tooling to stop bad behaviour

Sponsor: Notion

Notion is an amazing collaborative tool that not only helps organize your company’s information but helps with project management as well. We know that all too well here at CodePen, as we use Notion for countless business tasks. Learn more and get started for free at notion.com. Take your first step toward an organized, happier team, today.

Transcript

[Radio channel adjustment]

Announcer: Today, on CodePen Radio.

Chris Coyier: Hello, everybody. CodePen Radio #397. I don't know what we're call this. Safety, or something like that.

I had a question come in from some fella on Mastodon. Now, of course, I've scrolled away from it and can't find it, but I will link it up because it was a very fair question about CodePen and this weird idea that we allow users to write code and execute it right on CodePen. Now isn't that funny because it's just kind of like rule number one in running a Web app or an app of any kind is just don't allow people to execute their own code on the thing. It's highly, highly dangerous. But of course, that's core to our product and that's what we do.

We're going to talk a little bit, maybe vaguely sometimes, but with as much detail is safe about this subject. I have with me Marie who knows all about this world. Hi, Marie.

Marie Mosley: Hey, everybody. Yeah, Chris asked me to come on the show, and I said no, I'm not going to talk about any of that.

[Laughter]

Marie: But you know. We worked it out. We figured out a couple of things we actually can talk about, so here we are.

Chris: Yeah. Yeah. Okay. Yeah, there are so many things to cover, so this will be a bit of a high-level overview, but I hope if anybody is in this position that they get a little out of how CodePen works and how it might work for you.

00:01:38

Chris: Marvin Danig was the name who wrote in asking about it, and he was asking specifically about allowing users to do executable code.

Marie: Right, which is like a fundamental question of, like, how the heck do we even allow this at all on CodePen.

Chris: Right.

Marie: That's a question that was answered long ago when CodePen was first put together, and that's something that Alex would be more of an expert to talk about there, but we sandbox the iframe. We have the code executing on a separate domain from the main domain. There's the content security policy. All sorts of little aspects there that kind of keep the iframe safe and the CodePen experience safe, in general.

Chris: Well, let's spend two more seconds on that because one of the interesting aspects of the kind of code that we execute on your behalf on CodePen is front-end code. It's browser-level code, which is different than server-level code. It's just in its nature a little bit, so we have to be worried about, particularly worried about, stuff like XSS.

So, if you could write a piece of JavaScript that would execute on codepen.io, that's very dangerous because you can, for example, steal cookies and such. I don't know if we use cookies anymore for login. I think we do it some other way. But assuming you could, you could log in as somebody else then. I don't think I have to teach this audience what XSS is, but it's very dangerous.

Guess what. You can't do that on CodePen. When we execute the code that you write, it's not on codepen.io, so that's what Marie meant when she said we execute it on a different domain.

Any time we're executing the JavaScript that you write, it's not on codepen.io ever. Just that alone is an amazing level of security and pretty much handles the bulk of the really dangerous stuff.

But let's just say some snuck out and somehow was executed on codepen.io. It would probably have to execute as, like, an inline script tag, and we have this thing called a CSP, which Marie also mentioned, the content security policy, which just says, "No, I won't execute code in a script tag."

Marie: Mm-hmm. Yeah. [Laughter] Very helpful.

Chris: Yeah. Right. It will execute code in a script tag that points to a source that's a codepen.io source but nothing else.

Marie: Right.

Chris: That's an amazing protection, just that, too.

00:04:08

Marie: Yeah, and that's gotten more powerful over time. Just CSP in general, the concept of CSP has gotten more powerful over time.

Another thing, I was looking back at our history of the podcast and I saw that the last time we talked about this type of stuff was about five years ago, in 2018. A lot has changed even with browsers since then.

Browsers have become more secure to work in, in this way, so alongside our efforts to lock things done and make it safer to use CodePen and to have CodePen as a thing, the browsers have also introduced new things that have made it a lot safer, too. So, we're all kind of working in concert. Everyone on the light side of the force, anyway, is all working in concert to make things safer.

Chris: Yeah, indeed. Okay, so there's that. There's also, like you mentioned, the power of sandboxing. That's a whole thing to itself.

But when you have an iframe element, which is what we use to execute your code on a different domain so that you can see it on codepen.io, there's this salad of attributes that you can put on the iframe.

Marie: Hmm... yeah. [Laughter]

Chris: That mostly is a whitelist. You say iframe sandbox, and it just locks that thing down. Then you say, "Oh, but allow this."

Marie: Right.

Chris: Allow this. Allow this. Allow this.

It's a little hard to keep up with, but we put that on there. It's exacerbated, if I've used the word correctly, but the fact that different browsers need a different salad of stuff on theirs.

Marie: Mm-hmm. Yeah. Yeah. Also, I think there's a little secrecy there, too. They're not necessarily forthcoming about them. They don't announce them as they become available.

Chris: Right.

Marie: And so, we just kind of find out about them when someone is like, "Hey, I'm trying to use this and it's not working."

We're like, "Oh, okay. Yeah, that's something we can allow now."

Chris: Right.

Marie: Then we have to spend a little time examining it and being like, "Do we actually want to allow this? Is this okay to allow?"

Chris: Right.

Marie: Also, if we allow this, is it going to break something elsewhere? It's something that we constantly have to examine, and we kind of only find out about it after the fact.

Chris: Yeah.

Marie: But I would imagine there are reasons for that.

Chris: Right. Yeah, that one is always a little annoying to us, but we've just dealt with it because it manifests with - I'm playing with some new technology. It's not working in CodePen. I see this error in the console. I submit a support message that says, "Can you look at this?" And we evaluate whether we're going to allow it or not (if we can find any docs on it).

Usually, we do because usually, it's not that big of a deal. Also, in different contexts, we allow different things.

Marie: Mm-hmm.

00:06:43

Chris: There is something called Debug View, which we'll probably get into because it's a safety concern here at CodePen that is not iframe and, thus, has none of these protections, but kind of on purpose.

Whereas imagine an API like the geolocation API. That's fine to use on CodePen, so we allow it in the sandbox but not in the grid. You know?

Marie: Mm-hmm. Yeah.

Chris: The grid doesn't allow that on there because you don't want to be browsing around CodePen and see a popup that's like, "Do you want to share your location with this website?"

Marie: Yeah. [Laughter]

Chris: You're going to be like, "No! What are you even talking about?" You know? So, there's a difference in what sandboxing stuff we allow in different contexts as well.

Marie: Right. That's true, and so we do have situations where we don't want certain things to happen when people are viewing things in the grid. That is one of them.

Also, a forced download. Obviously, we would never want to allow that to occur.

One thing that's odd that we run up against a lot is that if someone has an asset file that's hosted on a server that requires a username and password, like requires login, every browser, without exception, will pop up the login for that and will say, like, "You need to log into this site to access this information."

And so, we've done all kinds of stuff to try to block that, and the browser just let that go through no matter what, no matter what we do. You know what I'm talking about, right, Chris?

Chris: Yeah. What the heck?

Marie: Where somebody has an image file on a WordPress site and it's password protected.

Chris: Right. It pops up this very, like, old-school-looking username and password. Yeah. Yeah.

I think there was one little movement on that over the years, and I don't know. I haven't seen that one in a while. We should almost test it again.

Marie: Yeah.

Chris: If people are familiar with, like, it was called... Well, there's an HT Access file.

Marie: Yeah, HT Access. Yeah.

Chris: But that's specific to Apache servers. I'm sure there's some manifestation of this on any type of server, but you could pair it with an HT password file, and people would do that. It's just like the very easiest way to add authentication behind something that they wanted to protect for clients or something like that.

The irony is that it would pop up through an iframe and there was nothing you could do to stop it.

Marie: Yeah, and it's still like that.

Chris: Yeah.

Marie: People will write in and say, "I was searching for something and this popped up," and it's always someone's abandoned WordPress site from 2012.

Chris: Right.

Marie: Is popping up a password request.

Chris: Come one! Yeah.

Marie: Like, why? There are so many other things that they get in the way of. I guess it's just not that big of a deal. Usually, you're just landing on that site, and you're like, "Oh, okay. I guess this site is broken," but it's probably only annoying to us [laughter], which is why it's not being dealt with.

Chris: Yeah, and it's such a niche thing.

Marie: It's very niche, yeah.

00:09:26

Chris: You know what's not niche? Sound. Why is there no attribute or anything at all in the salad of sandboxing stuff to stop fricken's sound from an iframe?

Marie: Yeah. [Laughter]

Chris: My God.

Marie: For real. Come on.

Chris: Yeah, or auto-play, or anything.

Marie: Yeah, and also I think that YouTube has special sneak past everything powers because we do have a problem where YouTube can play in circumstances where you feel like it really shouldn't, and that's inside Chrome. So, hmm...

Chris: Right. Right, right.

Marie: Maybe they're just friendly with each other there. You know?

Chris: Yeah. Yeah. I discovered a very niche, let's say, way to leak sound through the grid, which I will not share with you.

Marie: Yeah. Please don't. Come on.

[Laughter]

Marie: You've got to tell me but take it off the air.

Chris: Yeah. I hate that stuff. But that's why this question, this original question that came in was like, "What do you do?" And I was like, "You know what we do? A lot, all the time."

Marie: Everything all the time. Yeah.

Chris: Every day, we think about it. So, if you want to make a sandbox like CodePen, just know that you're signing up for a daily journey through bad behavior.

Marie: Yes, and it's ever-changing. A constant journey.

Chris: Right.

Marie: A constant journey that you're just always working against a shifting tide.

Chris: Right, and so you almost have to be mentally prepared for that. This is not like a thing that we're going to just win and be done with it, although that is highly enticing.

Every time we think of something really clever to stop a swath of bad garbage, it does feel very good, like, "Did we solve it this time?" Even though, of course, we did not.

Marie: You never solve it. You can't solve it.

Chris: Yeah.

Marie: That's another thing. It is like trying to solve the ocean being wet.

You're like, "This thing is full of water." You step into the ocean. Yeah, you can take some buckets out, but you keep going. You're still in there.

00:11:21

[Guitar music starts]

Chris: This episode of CodePen Radio is brought to you in part by Notion. It's a near year, folks. I'm sure a lot of you are doing planning and all that kind of stuff for the new year.

Certainly, we are at CodePen and using Notion to do it. We've used it for a long time for that. It really helps keep the team on the same page. Just absolutely love it. Thanks so much for the support.

Whether you're starting a new gym routine, organizing a trip with friends, or even planning your company goals, Notion is a flexible, collaborative workspace that helps you make meaningful progress in every part of your life. Get started in seconds by choosing from thousands of templates for every task. Make it your own from to-do lists, OKR trackers, and so much more.

Notion helps you build the exact system you want so you can work the way you work best. Start your year off right and get organized now with a free Notion account at (all lowercase letters) notion.com/codepen. Notion.com/codepen to learn more and get started for free right now. So awesome.

Again, thanks so much for the support. Love Notion here at CodePen. The best.

[Guitar music ends]

00:12:34

Chris: What we haven't distinguished, though, is a lot of this stuff is not from bad actors. It's just people doing stuff. And we still need to protect ourselves from just doing stuff.

Then there's just straight-up bad actors. If you're trying to XSS, fine, I mean that one is like, "Come at me, bro." We're pretty solid on XSS, I think.

But there's other little crap like, "Oh, we linked up some malicious JavaScript something-something," or "We're trying to convince people to click this thing and win penguin bucks," or whatever.

Marie: Yeah.

Chris: I don't know why that one always comes up from my brain. Some of that stuff we've, over time -- and this is probably no surprise -- we can just detect it and just stop it.

Marie: Yeah. Yeah.

Chris: Not to get into details on those tools, but we just can stop you based on what you're doing there. But talk about an uphill battle.

Marie: Yeah and, of course, that also always changes, too. The type of stuff that we were looking for five years ago, the last time we talked about this, I'll tell you nobody is trying to trick anybody into clicking a Game of Thrones streaming link anymore.

[Laughter]

Chris: Yeah.

Marie: Even when House of Dragon came out, as soon as I saw that I was like, "Oh, no." [Laughter]

Chris: Yeah.

Marie: Here we go. Here comes another Game of Thrones - after what we had gone through back in 2018. But no, people don't care enough about it to steal it anymore - sorry to say.

Chris: That's wonderful. You can tell what's actually popular.

Marie: Yeah. I'd be like, "Oh, it's not that popular."

Chris: With the people, yeah.

[Laughter]

Chris: Yeah. Okay. People just doing tricky garbage is something that we need to evolve and detect and whatever.

Marie: Right.

Chris: Certainly, there are modern tools to do that.

00:14:10

Marie: Yeah. There are different types of content that you have to look out for when you have a place where user-generated content can be posted. Obviously, the worst stuff is the malicious content, which is truly dangerous. That's malware.

Chris: Right.

Marie: Phishing, all that type of stuff, that's dangerous. That's dangerous not only to your site's reputation and your site's community, but to the Internet at large. This stuff is dangerous to potentially your nation.

Chris: Mm-hmm.

Marie: So, you want to be careful there. Then there's objectionable content, which that's going to vary depending on what type of site you have, what is defined as objectionable content.

What you want to have, of course, is a code of conduct that explains what would be objectionable content. Then you need to enforce that. That's tricky to do because sometimes you can't exactly detect that out of hand. But what you would want to do is make sure that you're always able to act on it if it's reported and also start to look for things that are related to it once you start to understand, okay, this is a new variant of objectionable content that has emerged.

That's something that's everchanging. Things that are objectionable evolve over time. New, objectionable things emerge.

Chris: Indeed.

Marie: You just need to keep tight to your code of conduct, revise your code of conduct if it's appropriate. But yeah, objectionable content is kind of a vague term because it really does vary depending on what type of site you have.

Then there is SEO spam, and this is high, high, high volume, but if you're smart about it, it's not terribly high impact for you because, for one thing, SEO spam is -- just to define it in a nutshell -- when there is a link to another site, and the purpose of placing the link is to build the reputation of that other site in the old-school style of SEO, which is basically inbound links coming to the site.

So, what they'll do is they'll be trying to sell a service, trying to sell a product, or there's also this whole reputation-building world of SEO, which if you were paying somebody to build your reputation through SEO, try to evaluate where they're placing those links because they're probably placing them directly into a trashcan. [Laughter]

But anyway, one thing that Google gives content sites that kind of helps here is the rel UGC attribute, which means that you can label the link as user-generated content. And so, they know, "Okay, this is just something somebody posted. Count it with that grain of salt," you know when they're evaluating you for another site.

Chris: Yeah.

Marie: We slap that onto outbound links. SEO spam that's coming into CodePen is high volume, and we do delete it when we discover it, but it's not a high priority because it is very -- it's not terribly harmful to the community at large or to the Web at large because we're already telling Google, "Don't even pay attention to this." [Laughter] So, they already know it's not important.

00:17:11

Chris: All those three are very different and require different tooling, different approaches, different stuff.

Marie: Exactly. They're completely different from each other. They have to be managed in separate ways, and they have to be given different priority.

Sometimes we need to just go up to priority one and let the other stuff mellow for a bit. Other times we're able to really focus up on one particular type of high-volume spam thing.

We've had to do some things, like for example the reason why there is a limit of how many Pens a free account can make in a seven-day period comes from SEO spam floods that we used to get. We used to get accounts that would sign up and post like 500 Pens that were just loaded up with spam, and it actually became difficult.

This was in the earlier days. It would become difficult to delete those accounts when we did discover them, so we actually had to put a hard limit like that.

And even now, we've left that limit in place. It really does continue to catch spam accounts. When an account triggers that, that's the time to take a look at that account and see, "Okay, what's going on here?" You know? Oftentimes, you do find that it's an SEO spam account just trying to barf out thousands upon thousands of links.

Like you said, it really does take a lot of different types of tooling, different types of attention, and different levels of priority to just keep it all clean, keep it all in balance.

Chris: Yeah. Yeah. Would you say that's in order of volume? [Laughter] Just interestingly. Like most stuff is just, ugh, SEO garbage again?

Marie: Oh, yes.

Chris: Then second to that is intentionally objectionable crap.

Marie: Yep.

Chris: Then the least of it all is the really dangerous stuff. It's the worst, but it's the least - thank God.

Marie: Yeah. There is the least of that because that's criminals doing criminal stuff, and there are fewer of those. Even if you work in spam, even if you work in community, it's true. There are fewer criminals than regular people. It may feel like there are more, but it's true. There are actually more regular people trying to use your product than criminals.

But I'll tell you; sometimes it feels different. [Laughter]

Chris: Right.

Marie: When you work at fighting it, it does.

00:19:26

Chris: And these are dangerous for this. Maybe you mentioned this specifically, but one worry that we all carry around on our shoulders is that if one of these lives for a little too long and gets a little too much attention (from somebody like Google, and they're the big dogs in search, so that's what really matters).

Marie: Mm-hmm.

Chris: And somebody just pushes a button over there and says, "Oh, that CodePen. They're just too dangerous. We're going to put the red screen of death up for them."

If we can't resolve that real quick, we just are done as a company.

Marie: Exactly. Yeah, and so that's the reason why we treat this with very high priority.

Chris: Right.

Marie: Also, when these things come up, we do act immediately. We do work directly with Google immediately when this happens, so we do work it out. It's something that we're--

I would assume they're relatively familiar with what we really are versus what they're discovering.

Chris: Right. Fortunately, that's the case. Yeah.

Marie: Because we've immediately hopped into action when it comes up - in part.

Chris: Oh, gosh. So, there's lots of stuff that we're not going to tell you, so just [evil snickering]

Marie: [Laughter] Well, don't say it like that.

Chris: Yeah. [Evil snickering]

Marie: No. [Laughter]

Chris: Well, it's just interesting bespoke tooling. We have all fricken' kinds of tooling that does stuff. You know.

Just so you know, we had stuff go out just in the last week or two.

Marie: Yeah, we did.

Chris: That's meant to stop your dummy butts.

00:20:57

Marie: Yeah, I will say if this is what you're doing as your job, start tooling up. Get your meeting together to start tooling up on something else because it ain't going to be worth it real soon. [Laughter]

Chris: Yeah.

Marie: Just move along.

Chris: Yeah, rock-n-roll. Move along, please.

There is some automated stuff that comes from not our own two fingers.

Marie: Yes.

Chris: We've talked up many times that we use Cloudflare just generally in front of CodePen, which stops us from kind of a different style of bad behavior, stuff like DDOS.

Marie: Mm-hmm.

Chris: It's kind of fun to look back over the last couple of weeks of logs and be like, "Oh, look. On Tuesday, somebody tried to DDOS us."

Marie: Oh, there was a DDOS. Yeah.

Chris: Yeah.

Marie: Oh, well.

Chris: Suck it.

[Laughter]

Chris: Yeah. Nothing happened, which is a result of lots of work and money, fortunately.

Marie: Yeah, but they're rock solid. They really do save us from a lot of trouble. They've also cut down significantly on the volume of the SEO spam.

Chris: Mm-hmm.

Marie: They get in the way a lot of a lot of that. A lot of the automated signups are just taken out at the root.

00:21:57

Chris: That's great. One of the worst is I think we had one of these somewhere recently that I just laugh at, that somebody paid real money, meaning that we have Pro accounts.

Pro accounts is another one of our tools, let's say, for fighting bad behavior because you get a little more abilities with a Pro account. You can unauthenticatedly look at debug view, which otherwise would be a very dangerous view of CodePen because of the lack of protections there - or whatever. So, if you want that, you've got to pay money for it.

Now, they'll probably use a stolen credit card or something, and I'm like, "That's really--" you're doing a lot of work there to get--

Marie: Yeah, I mean that's crime.

Chris: --one day or less.

Marie: Yeah.

Chris: That's crime, straight up crime.

Marie: And I mean it leaves a visible trail, which it's not held by us. It's held by places like Stripe and PayPal who are in contact with the FBI.

Chris: Right.

Marie: The international law enforcement, so it's a terrible idea to even try it. But of course, these are criminals we're talking about.

Chris: Ugh. Yeah. Fortunately, that's still a pretty good protection despite a very rare slip-through.

Marie: It's great because if it does come through, if they do get through, then you just mark it as fraud, as invalid to either Stripe or PayPal, and then that kicks in, and it'll start detecting when they come back or when their buddy gets on or whatever. All the interlinking that happens completely outside of CodePen is known to Stripe and the card networks and PayPal.

That's finance. They all are much, much, much, much more advanced in the world of security than any content site. So, they're all working together. They all figured out, okay, this is related to this other charge. Block this too.

In that case, if someone gets fraud blocked, they're blocked at the level where they can't make the payment in the first place, and it disables their CodePen account. So, that gives us an opportunity to pull them out before they've even done anything. And that's all detective work that's being done by our payment process, so we can thank them for that.

Chris: Yes. Yeah. Well, thank you. [Laughter]

Marie: Yes. Thank you for that. Thank you for a lot of things. We do love our friends at Stripe and PayPal. They make it possible for us to be a business, which is fantastic.

But then in addition to those third-party tools, which they do a lot of the heavy lifting and I do have to give them a lot of credit, we also have tools on our side that help out, of course. We have our own filters, our own mechanisms for freezing an account, which can help us identify things that are about to become trouble even before they do become trouble, or sometimes catch them in the act and stop them from doing what they're about to do.

Chris: Mm-hmm.

Marie: Which is very, very handy. If you get caught up in one of these types of things, you simply will not be able to post anything. You won't be able to do anything at all on CodePen. Then we just come through, pick up everything that's frozen, and throw it in the trash.

Chris: Yeah.

00:24:57

Marie: And when I say we throw it in the trash, we have built in a soft delete mechanism now, so when we delete an account as an administrator.

Now, if you delete your own account on CodePen, it is gone, gone, gone. Like we do not hold it at all.

Chris: Right.

Marie: Because that's for privacy reasons, we just let you completely destroy your own account. That's fine.

When we delete it, when we've made a decision to delete an account, we actually hang onto it for a short while, not very long, but for a short while so if that was a mistake, if we discover, "Okay, accidentally, we deleted this group of accounts when we were supposed to delete these," for example, or if someone writes in and appeals it and we realize, "Okay, yeah, that was a mistake. This is not actually spam," we can just bring it back.

And so, that makes it so that we can move a lot faster.

Chris: Yeah. Right.

Marie: We used to be real slow.

Chris: You could bring it back by clicking a button, not by, like, "Let me pull the old database."

Marie: Right. Yes. Yeah, which is what we had to do in the old days, and so we would be really slow and meticulous and careful about deleting accounts in the past. Now we can work in bulk much more often without it being a problem for us.

In the very rare instances where we've made a mistake -- and as we go on, they get more and more rare -- we can bring an account back in a short time frame. I mean if someone doesn't notice their account was deleted, like, for 90 days or something, then in that circumstance we really can't help. But that's never happened. It's only been occasionally, like we'll grab something, and the next day the person is like, "What happened to my account?" And we're like, "Oh, yep. That was a mistake," and we bring it back.

Chris: Yeah. Right, right. If that happens to you, let us know. That's an unfortunate price to pay. Not the world's best experience for that person, but--

Marie: Yeah.

Chris: We've got to watch our own ass here. [Laughter]

00:26:38

Marie: Yeah, exactly. That's the key challenge that we face here. Any site that hosts user-generated content is going to always face is that you've got to keep it safe, but you also don't want to stand in the way of legitimate use of your product. So, even little stuff like you have to verify your email address before you can use every feature of the free product.

Just that alone is enough friction for us to lose people sometimes. Either they don't get the email or they don't want to verify their email address or they use a fake one or whatever. And so, we end up losing people because they don't want to jump that one relatively small hurdle and relatively common hurdle, too, for a site where you create content.

So, that's a little piece of friction that we've had forever, and we know it's a little piece of friction. So, every additional piece of friction that we add on top of that could potentially alienate or make impossible the use of CodePen for someone else.

So, we really have to think these out and kind of like balance it with the risk versus making CodePen something that lots and lots of people can use. So, it's something that's--

Like we were saying at the beginning of the show. It's never permanently solved. You can't find the solution to spam. You cannot find the solution to bad behavior. Those things are impossible. But what you can do is be able to use your own tools, reach out to the tools that are available to you, and just do what you can to make it as comfortable as possible.

I think the average person using CodePen doesn't think, "Oh, this place is full of spam." You might think, unlike any other content place, you know-

Chris: Right.

Marie: I don't feel like people think, "Oh, there's a lot of spam here," and that's down to the work that we put in.

Chris: Work. Work.

Marie: A lot of work. Work, work, work, that's us.

Chris: [Laughter] Yeah. it kind of is. It kind of is. But we've made it this far. It's pretty good.

Marie: Yeah.

Chris: And you especially do so much of it, which is awesome.

00:28:39

Marie: Yeah, you know, and it is kind of nice to talk about it, even though I was a little bit vague, and that's the shame of it, too, is that I think all of us that work on this have to be a little bit vague and secretive about what we're doing because we are working against essentially criminals. And so, I do wish there was a way that everyone that does stuff like this could kind of work together a little bit more and share knowledge with each other a little bit more.

I don't know. Maybe there is something where we're doing that and I don't know about it yet. [Laughter]

Chris: No. I mean, yeah, I don't know. If the right company came to us and asked for details or wanted to sit down and talk about it, I would - as long as I could tell that you're not--

Even if it was competitive but the point of that was just safety, that would be fine.

Marie: Yeah. If we all just want to knock this out, I want to knock it out just as bad as anybody else. So, yeah, I think it would be great to be collaborative on this with other folks in the field, realistically, because we're all facing the same thing.

I know everything I just talked about here is showing up everywhere else too. There's no way it's just us.

Chris: Yeah. One thing that makes me feel good is that there are at least two tricks I can think of up our sleeves that we haven't fully pulled the trigger on. It's kind of like if this got any worse, we'd be like, "We've got a couple of sledgehammers in our back pocket."

Marie: We do. We do.

Chris: Just so you know. [Laughter]

Marie: Yeah, you know it's fun to swing the hammer every now and then. [Laughter]

00:30:07

Chris: Yeah. Yeah. What's also nice about it is that we can trust some of our analytics numbers.

For example, we crossed a threshold -- I think it was just this week -- about number of users. I don't know how close we keep that to our chest, so I'll just shut up about that for now. But it's good to know that that number isn't just total BS.

Marie: Mm-hmm. Yeah.

Chris: You know what I mean? You'll even do an old-school sweep. You'll be like, "Ooh, you know what? I discovered this really weird kind of like - I don't know - honeybees or something." [Laughter] You know?

Marie: Yeah. [Laughter]

Chris: And then go back in time and just find some old crap that's like, "Well, it's unfortunate that we missed this, but it's gone now."

Marie: Yeah. Then also, again, you see it's had zero action at all. It just got dumped there and that was it. So, it's basically tidying up rubbish.

Chris: Yeah.

Marie: It's not really saving the world. But yeah, it is funny because sometimes you'll just go back in time and be like, "Oh, okay. Well, in 2018, a bunch of people were trying to sell card tables in Poland."

Chris: Right.

Marie: We can nuke these now. [Laughter]

Chris: [Grunting] Those Polish people. My God. I almost bought a fake woodcarving there once. I'm still pissed about it.

Marie: Well...

[Laughter]

Marie: I don't know what to say.

Chris: It was one of those things where the guy has got a knife out. He's got a thing of woodcarvings. He's got a knife out. There's wood shavings all over the ground, and you're like, "Oh, man. This guy is so legit. He is carving these wood things right here in front of me."

Then if you really look, he's just got a twig, and he's just chucking stuff off the twig.

Marie: Okay, so then you're the type of person I'm looking out for when I'm deleting this SEO spam.

[Laughter]

Marie: Do it for Chris.

Chris: Yeah. Thank you.

Marie: I've got to put that up like a Homer Simpson sign.

[Laughter]

Chris: Nice. All right, well, thanks, Marie, for all that. And we'll talk again soon. It's 397 here. We have a couple more really--

Marie: Oh, yeah. We're coming up on it.

Chris: --interesting ideas. Yeah, we'll hit 400, and we'll talk about what's going on at CodePen in preparation for a little hiatus as we finish up our bigger projects. Then we'll use this podcast to talk about that.

Frankly, I'm just a little sick of dancing around our bigger projects, and I want to just wait until we can talk about it.

Marie: Yeah. Me too. [Laughter] I agree. Right on. Well, I'll be on that one. Thanks for listening, everyone.

Chris: All right. Bye-bye.

Marie: Bye-bye.

[Radio channel adjustment]