When loading up a project in the editor, built-in Javascript functions such as alert, prompt, and confirm will run. This will only happen if the .js file containing the script is included by the index.html file.
It appears that the script is called via an embedded project page, because running alert(location.href) will return the project.glitch.me URL instead of the editor one.
This issue could possibly be used to run XSS on the editor, so it should probably be fixed.
Thanks, DerDer56
Thank you! We’re going to ship some changes to the iframe that loads your project, which will make sure that the javascript does not run in the background from your project, until you’ve opened the side by side preview.
Fortunately the iframe creates a sandbox which means that the javascript running in the project can only target that project domain (example.glitch.me), so there isn’t a risk of XSS attacks here.