[mcintyre1994]

They're on another domain they own, but they are on another domain (cdpn.io) and the cross-origin concern does apply. They do that because they have auth cookies on codepen.io and don't want them exposed to the iframe.

See these tweets by their cofounder: https://twitter.com/chriscoyier/status/1422940724295786503?s... and https://twitter.com/chriscoyier/status/1420033471376920578?s...

[asddubs]

if they were on the same domain you could load iframes with the parent site and do arbitrary CSRF