How to securely install sandpack on a website?

[lancejpollard]

Reading https://sandpack.codesandbox.io/docs/guides/hosting-the-bundler#security it says:

The bundler evaluates and transpiles all files in an iframe under a different subdomain. This is important, because it prevents attackers from tampering with cookies of the host domain when evaluating code.

Does this happen in the default/basic installation of Sandpack? Is it loading the client/bundler from a third-party domain, like codesandbox.io? I couldn't find this exact info anywhere.

If you want for things to be more secure, do you need to host it on a subdomain? Do you need to host every users' code as a separate bundler on it's on unique subdomain (so like <UUID>-preview.myapp.com? Or how do you set this up correctly?

Thanks for the help.

[danilowoz]

Hey, in response to your questions, it's important to highlight two important things:

• When using Sandpack, CodeSandbox never stores the sandbox content in its server - everything runs in the user's browser.
• By using Sandpack, you will only get static files from codesandbox.io, and these files will be responsible for evaluating and bundling the sandbox content you create.

If you want, you could serve the very same static files that CodeSandbox does in your serve and work with a very isolated solution without third (us) dependencies, but the result would be the same as you have now: a sandbox iframe running from an external domain but without the advantage in getting CodeSandbox latest bundler version and updates.