Iframes
Your computer is protected from the content of unapproved posts because code runs in sandboxed iframes. This means that malware cannot be run, and the code cannot access cookies or any data on the makenolaw.com domain. The iframe sandbox also disallows popups, form submission, and more.
Content-Security-Policy
Our Content-Security-Policy (a term used for a method that restricts what can be loaded on a website) disallows all but a short list of sites to be embedded in an iframe, which prevents clickjacking. Most browsers that don't support CSPs are unable to load posts at all due to other missing features, but browsers that fail to implement CSPs are given a warning that cannot be dismissed. If you see this message, upgrade your browser before using this site.
Objects, applets, and embeds are disabled (via the CSP, in addition to attempts to disable them on the server side), as well as mixed content.
List of approved iframe src urls
If you want support added for a site, send us feedback and it'll likely be added (hover over top right dropdown when logged in, and you'll see the feedback button). The supported sites are:
List of approved script src urls
Scripts are also limited by our Content-Security-Policy. Only scripts from the following domains are allowed at this time:
Distinguishing between approved and unapproved posts
Approved posts have the icon next to its tags list, and unapproved posts have the icon .
Approved posts vs HTML approval of posts
Approved posts are allowed to run freely on a page. Posts are only approved when they have been vetted, and usually only when they do not work in a sandboxed iframe.
Posts that need HTML approval are either made by users with less than the minimum required reputation (10 at the time of this writing), or when a post's code appears suspicious. Certain functionalities like editing the contents of a users clipboard are usually not allowed, and doing so will cause the post to become flagged. When flagged, it will not show up for other users until it has been approved.
Infinite loops and other browser-intensive JS
Several steps have been taken to mitigate this (using a modified version of jsbin's loop-protect), but it is not perfect yet. This is the reason for having a minumum reputation to make posts containing HTML and JS. It will take time to achieve that level of reputation, and will hopefully deter users from wasting their account and time by making a post that likely wouldn't work anyway. The minimum reputation required will increase over time.
