Paste HTML, see it rendered live in a sandboxed preview - resize the split, simulate phone/tablet/desktop, catch JS errors.
🔒 Sandboxed. The preview iframe runs in a null origin with sandbox="allow-scripts allow-modals allow-forms allow-popups". Pasted scripts can't read cookies, localStorage, or anything else from gekro.com. allow-same-origin is deliberately absent — adding it would defeat the sandbox.
As-is, no warranty. These apps are free under their listed license and run entirely in your browser. Use at your own risk — don't blame me if your PC catches fire, your dog runs away, or the math turns out wrong. Verify anything that actually matters. None of this is professional financial, medical, legal, or engineering advice.
Paste HTML on the left, see it rendered on the right - live, as you type.
window.onerror and unhandled promise rejections from your scriptsEveryone says “sandboxed iframe” - this one actually is.
The preview iframe is configured exactly as:
<iframe sandbox="allow-scripts allow-modals allow-forms allow-popups"
referrerpolicy="no-referrer"
srcdoc="..."></iframe>What that means for your pasted code:
null because allow-same-origin is deliberately NOT includeddocument.cookie, localStorage, sessionStorage of the parent siteparent.document or any parent DOMtop.location = ... is blocked)Why allow-same-origin is the danger: per MDN, combining allow-scripts with allow-same-origin lets the iframe’s script remove the sandbox attribute and gain real-origin access. We never enable that combination.
Top-level navigation to a Blob URL or data URL would inherit gekro.com’s origin and defeat the sandbox. Fullscreen API (the button labelled ”⛶ Fullscreen”) keeps the iframe sandbox active and is the safe equivalent.
.html file in a sandboxed contextfetch() from any origin (without credentials)console.log is not surfacedFor informational purposes only. Not financial, medical, or legal advice. You are solely responsible for how you use these tools.