Cross-origin iframes are basically the heart of how CodePen works. You write code, we execute it for you in an iframe that doesn't share the same domain as CodePen itself, as the first line of defense. We didn't hear any heads up or anything.
https://css-tricks.com/choice-words-about-the-upcoming-deprecation-of-javascript-dialogs/