Codesandbox-client: Temporary Suspension of Preview Window Service & Workaround

No noticable progress on this issue: Domain Registrar is reviewing our compliance deliveries made 19 hours ago. It's now a total of 34 hours since two domains were suspended.

Thanks for these updates!

Reflecting on the situation makes me realize I have a couple of questions:

This happened before and we have taken various measures to reduce the chance of suspensions happening again.

I have read threads from some who mention the csb.app or its subdomains being blocked by an upstream gateway in their network connection (example: #2210). In that particular example, Ives suggested accessing content via codesandbox.io as a fallback.

1. I remember a time when the csb.app domain wasn't being used by the platform. Do you have a link to share which explains why it was created, how it's used compared to codesandbox.io, etc.? If there was ever an announcement, I missed it.

2. Following Ives' suggestion (which appears to be built into the platform now), I'm considering implementing similar logic externally (when possible) when linking/redirecting to sandboxes. Given the nature of cross-origin security in browsers, I was thinking that this might present a challenge when dealing with certain things like browser storage, which is isolated per origin. For example, if I've stored state locally on a device at abc.csb.app and try to load the app at abc.codesandbox.io, I won't be able to access the locally-stored data. Do you have any guidance on how to address this?

Domains suspensions has been lifted as of 17:36UTC and we will take further measures to lower the probability of this happening again: Hopefully in cooperation with our domain registrar. We have a clear interest to investigate why this exactly happened, but so far these requests have not been answered. We continue to try.

I'll defer to @CompuIves or @lbogdan to provide you with more appropriate answers than I can give @jsejcksn. As far as I recall we have not announced the switch with much detail last year.

Looks suspended again. Any update?

Yes @jsejcksn. Our domain registrant is probably acting on aggregated reports and automated decisions. We have taken similar actions as yesterday and based on precedents I expect it to be resolved by Monday for now. We're doing everything we can to bring us up asap. (Just noticed I didn't post this draft I created some odd 9 hours ago)

Things seem stabilized now.

@CompuIves @lbogdan: When convenient, will you please take a look at my two questions from the comment above?

Domain suspension for csb.app has been lifted as of 5:06AM UTC today. Leaving this open until your questions are addressed @jsejcksn.

Closing this one now, seems like everything is behaving fine now!

@CompuIves Did you see the two questions above?

This issue resurfaced due to phishing reports, so re-opening. @jsejcksn I've asked @CompuIves to get back to you on your original questions. Please excuse our delay.

Oh whoops, sorry @jsejcksn!

1. Remember a time when the csb.app domain wasn't being used by the platform. Do you have a link to share which explains why it was created, how it's used compared to codesandbox.io, etc.? If there was ever an announcement, I missed it.

We started using csb.app for two reasons:

1. It's shorter, easier to type on a mobile device if you want to test there
2. Browsers are starting to run iframes from another root origin in another process. Which means that eg. Chrome already runs csb.app sandboxes in a separate process. If your sandbox would have an infinite loop, the editor won't get stuck and the app itself will feel more performant. If we use codesandbox.io domains, the sandbox and editor will have to share the same CPU core.

We're aiming to use csb.app 100% for all sandboxes, and were also thinking of redirecting codesandbox.io to csb.app, but we found out that some companies only have *.codesandbox.io whitelisted and *.csb.app blocked, so we're not able to do any redirect unfortunately.

Following Ives' suggestion (which appears to be built into the platform now), I'm considering implementing similar logic externally (when possible) when linking/redirecting to sandboxes.

That makes sense. Our rule of thumb is to keep a single machine on the same domain. So we only want to redirect to use *.codesandbox.io if *.csb.app is blocked for that machine. That way we'll stay consistent with browser caches. The problem that we're facing right now with domain blocking was unforeseen though, and this shouldn't have happened. We're now going to resolve it again, and make sure that it won't happen again.

@CompuIves Thanks for responding to my first question.

You might have accidentally overlooked part of the second question, but this is the part that I really wanted a response to:

Given the nature of cross-origin security in browsers, I was thinking that this might present a challenge when dealing with certain things like browser storage, which is isolated per origin. For example, if I've stored state locally on a device at abc.csb.app and try to load the app at abc.codesandbox.io, I won't be able to access the locally-stored data. Do you have any guidance on how to address this?

Hi, as this is something that may happen from time to time because people abuse the *.csb.app domain and you want to discourage use of codesandbox.io can we look at supporting custom domains e.g. *.mycustomdomain.co.uk/.com etc? That way devs etc can optionally use their own domain which wouldn't be blocked because of the actions of a few people.

Liking your suggestion @johnman. For now suspension has been lifted. Our First priority is to: (1) either change the way our current domain registrar (brute) forces its policies, or (2) transfer the domain to a more cooperative registrar. That should prevent this from happening altogether. We've made progress, but no commitment to date on (1).

csb.app is up again. Reopens upon recurrence.