ShareMyPage lets people publish HTML, often generated by an LLM like Claude or ChatGPT, and share it behind per-page access control. So the core of the product is the one thing every security guide warns against: taking arbitrary HTML from users and serving it back, executing, in a browser.
Here is how I make that safe. The same approach works for anything that hosts user-supplied HTML: comment previews, email renderers, no-code builders, AI artifact viewers.
Why a plain iframe doesn't work
Rendering the HTML in an iframe on your own domain is broken. An iframe on app.yoursite.com shares an origin with your app. If you grant allow-same-origin, uploaded JavaScript can read document.cookie, call your same-origin APIs with the user's session, and walk your DOM. And combining sandbox with allow-same-origin is the trap: together they hand the untrusted code back the origin you were trying to take away.
A separate, cookieless content origin






