diff --git a/.gitignore b/.gitignore
index 49c1963d..2f136b1c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,10 +17,6 @@ data/videos/*
 !www/videos/screen-saver.ogv
 !www/videos/screen-saver.webm
 
-data/browserfest-submissions.json
-data/browserfest-thumbnails/*
-!data/browserfest-thumbnails/.gitkeep
-
 # ignoring tutorial data for now, to avoid bloating things up
 www/tutorials/*
 !www/tutorials/list.json
diff --git a/data/browserfest-thumbnails/.gitkeep b/data/browserfest-thumbnails/.gitkeep
deleted file mode 100644
index e69de29b..00000000
diff --git a/my_modules/github.js b/my_modules/github.js
index cc648872..06ce6878 100644
--- a/my_modules/github.js
+++ b/my_modules/github.js
@@ -1,4 +1,3 @@
-const axios = require('axios')
 const triplesec = require('triplesec')
 const { Octokit } = require('@octokit/core')
 const express = require('express')
@@ -104,17 +103,25 @@ function reWriteCSSPaths (req, data) { // HACK!!!
   return str
 }
 
-router.get('/api/github/proxy', (req, res) => {
+router.get('/api/github/proxy', async (req, res) => {
+  if (!req.query.url) return res.status(400).json({ error: 'missing url param' })
+  // fix single-slash typo that can come from the redbird proxy
   const url = req.query.url.replace('https:/raw', 'https://raw')
-  // HACK: the purpose of this proxy to get around this issue:
+  // only allow raw.githubusercontent.com — no open SSRF
+  let parsed
+  try { parsed = new URL(url) } catch { return res.status(400).json({ error: 'invalid url' }) }
+  if (parsed.hostname !== 'raw.githubusercontent.com') {
+    return res.status(403).json({ error: 'host not allowed' })
+  }
+  // HACK: proxy exists to get around MIME-type mismatch issue with raw.githubusercontent.com
   // https://stackoverflow.com/questions/40728554/resource-blocked-due-to-mime-type-mismatch-x-content-type-options-nosniff/41309463#41309463
-  axios.get(url, { responseType: 'arraybuffer' })
-    .then(r => {
-      if (req.query.url.includes('.css')) {
-        res.end(reWriteCSSPaths(req, r.data))
-      } else res.end(r.data)
-    })
-    .catch(err => console.log(err))
+  try {
+    const r = await fetch(url)
+    const buf = await r.arrayBuffer()
+    if (req.query.url.includes('.css')) {
+      res.end(reWriteCSSPaths(req, Buffer.from(buf)))
+    } else res.end(Buffer.from(buf))
+  } catch (err) { console.log(err) }
 })
 
 // ~ * ~ . _ . ~ *  ~ . _ . ~ *  ~ . _ . ~ *  ~ . _ . ~ * Auth Token
@@ -141,11 +148,10 @@ router.get('/user/signin/callback', (req, res) => {
   const root = 'https://github.com/login/oauth/access_token'
   const id = `client_id=${process.env.GITHUB_CLIENT_ID}`
   const sec = `client_secret=${process.env.GITHUB_CLIENT_SECRET}`
-  axios.post(`${root}?${id}&${sec}&${code}`, { // ask GitHub for Auth Token
-    method: 'post',
+  fetch(`${root}?${id}&${sec}&${code}`, { // ask GitHub for Auth Token
+    method: 'POST',
     headers: { Accept: 'application/json' }
-  }).then(response => {
-    const token = response.data
+  }).then(response => response.text()).then(token => {
     const ermsg = '◕ ︵ ◕ oh no! looks like something went wrong with GitHub'
     if (token.indexOf('error') === 0) return res.send(ermsg)
     // ...assuming we don't get an error back, let's encrypt the token
diff --git a/my_modules/routes.js b/my_modules/routes.js
index 577c289a..9cb28c10 100644
--- a/my_modules/routes.js
+++ b/my_modules/routes.js
@@ -5,9 +5,7 @@ const fs = require('fs')
 const { promisify } = require('util')
 const readdir = promisify(fs.readdir)
 const stat = promisify(fs.stat)
-const exec = require('child_process').exec
 const utils = require('./utils.js')
-const axios = require('axios')
 const os = require('os')
 
 // \\ // \\ // \\ // \\ // \\ // \\ // \\ // \\ // \\ // \\ // \\ // \\ //
@@ -45,11 +43,16 @@ otherAssets.forEach(dir => {
 aliasRoutes.forEach(dep => {
   if (dep.url.includes('*')) { // for routes with wildcards
     router.get(dep.url, (req, res) => { // req.params[0] contains the wildcard path
-      const filePath = path.join(__dirname, dep.loc, req.params[0])
-      res.sendFile(filePath)
+      res.setHeader('Access-Control-Allow-Origin', '*')
+      res.sendFile(req.params[0], { root: path.join(__dirname, dep.loc) }, (err) => {
+        if (err) res.status(404).end()
+      })
     })
   } else { // for exact routes
-    router.get(dep.url, (req, res) => res.sendFile(path.join(__dirname, dep.loc)))
+    router.get(dep.url, (req, res) => {
+      res.setHeader('Access-Control-Allow-Origin', '*')
+      res.sendFile(path.join(__dirname, dep.loc))
+    })
   }
 })
 
@@ -59,8 +62,10 @@ router.get('/tutorials/*', (req, res, next) => {
   const host = req.hostname
   // any subdomains (ex dev.netnet) should load tutorials from production server
   if (host.endsWith('.netnet.studio') && !req.originalUrl.endsWith('/list.json')) {
-    const filePath = path.join(__dirname, '../../netnet.studio/www', req.originalUrl)
-    return res.sendFile(filePath)
+    const root = path.resolve(__dirname, '../../netnet.studio/www')
+    return res.sendFile(req.params[0], { root }, (err) => {
+      if (err) res.status(404).end()
+    })
   }
   // NOTE: v2 && v3 have a modified version of this route which returns the old
   // tutorials, stored in ../../netnet.studio-v3/www
@@ -68,6 +73,8 @@ router.get('/tutorials/*', (req, res, next) => {
 })
 
 // directory listing for /templates/*
+const escapeHtml = s => String(s).replace(/[&<>"']/g, c => ({ '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;' }[c]))
+
 const templateListPage = (rel, upLink, rows) => {
   const arr = rel.split('/').filter(s => s !== '')
   arr.splice(0, 2)
@@ -76,7 +83,7 @@ const templateListPage = (rel, upLink, rows) => {
 <html>
   <head>
     <meta charset="utf-8">
-    <title>Contents of ${rel}</title>
+    <title>Contents of ${escapeHtml(rel)}</title>
     <meta name="viewport" content="width=device-width,initial-scale=1">
     <style>
       body { font-family: system-ui, -apple-system, Segoe UI, Roboto, Ubuntu, Cantarell, Noto Sans, Arial, sans-serif; padding: 2rem; }
@@ -88,7 +95,7 @@ const templateListPage = (rel, upLink, rows) => {
   </head>
   <body>
     ${arr.length > 1 ? upLink : ''}
-    <h1><span style="opacity: 0.5">Contents of:</span> ${rel}</h1>
+    <h1><span style="opacity: 0.5">Contents of:</span> ${escapeHtml(rel)}</h1>
     <ul>${rows}</ul>
   </body>
 </html>`
@@ -133,7 +140,8 @@ router.get('/templates/*', (req, res) => {
           res.send(html)
         })
       })
-    } else { // it’s a file → serve it directly
+    } else { // it's a file → serve it directly
+      res.setHeader('Access-Control-Allow-Origin', '*')
       res.sendFile(requestedPath)
     }
   })
@@ -151,30 +159,6 @@ router.get('/api/videos/:video', (req, res) => {
   })
 })
 
-router.get('/api/nn-proxy', async (req, res) => {
-  let URL = req.query.url
-  for (const key in req.query) {
-    if (key !== 'url') URL += `&${key}=${req.query[key]}`
-  }
-  const request = await axios.get(URL)
-  res.send(request.data)
-})
-
-router.get('/api/proxy', (req, res) => {
-  let URL = Object.keys(req.query)[0]
-  // accont for redbird proxy bug
-  if (URL.includes('http:/')) {
-    URL = URL.replace('http:/', 'http://')
-  }
-  if (URL.includes('http:///')) {
-    URL = URL.replace('http:///', 'http://')
-  }
-  // proxy request
-  axios.get(URL)
-    .then(r => res.end(r.data))
-    .catch(err => console.log(err))
-})
-
 function getSubdirectories (directory, depth = 0) {
   if (depth >= 2) return Promise.resolve([])
   return readdir(directory)
@@ -291,12 +275,18 @@ router.get('/api/convos', (req, res) => {
   })
 })
 
-router.get('/api/user-geo', (req, res) => {
-  const ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress
-  exec(`curl http://ip-api.com/json/${ip}`, (err, stdout) => {
-    if (err) res.json({ success: false, error: err })
-    else res.json({ success: true, data: JSON.parse(stdout) })
-  })
+router.get('/api/user-geo', async (req, res) => {
+  const raw = req.headers['x-forwarded-for'] || req.connection.remoteAddress
+  const ip = raw ? raw.split(',')[0].trim() : ''
+  const validIP = /^([0-9]{1,3}\.){3}[0-9]{1,3}$|^[0-9a-fA-F:]+$/.test(ip)
+  if (!validIP) return res.json({ success: false, error: 'invalid IP' })
+  try {
+    const r = await fetch(`http://ip-api.com/json/${ip}`)
+    const data = await r.json()
+    res.json({ success: true, data })
+  } catch (err) {
+    res.json({ success: false, error: err.message })
+  }
 })
 
 // \\ // \\ // \\ // \\ // \\ // \\ // \\ // \\ // \\ // \\ //   URL SHORTENER
@@ -425,6 +415,7 @@ router.get('/api/templates', async (req, res) => {
 
 router.get('/api/template/:template', async (req, res) => {
   const name = req.params.template
+  if (!/^[a-z0-9-]+$/i.test(name)) return res.status(400).json({ success: false, error: 'invalid template name' })
   try {
     const base = path.join(__dirname, '../data/templates', name)
     const text = await fs.promises.readFile(path.join(base, 'data.json'), 'utf8')
@@ -443,58 +434,4 @@ router.get('/api/template/:template', async (req, res) => {
   }
 })
 
-// ************************
-// BROWSERFEST SUBMISSIONS
-// ************************
-
-const multer = require('multer')
-const bfimgs = path.join(__dirname, '../data/browserfest-thumbnails')
-const uploadImgStorage = multer.diskStorage({
-  destination: function (req, file, cb) { cb(null, bfimgs) },
-  filename: function (req, file, cb) { cb(null, file.originalname) }
-})
-const uploadImg = multer({ storage: uploadImgStorage }).single('image')
-
-// POST.......
-
-router.post('/api/browserfest/upload-image', async (req, res) => {
-  uploadImg(req, res, function (err) {
-    if (err) res.json({ success: false, error: err })
-    else res.json({ success: 'success', message: `${req.file.filename} uploaded` })
-  })
-})
-
-router.post('/api/browserfest/submission', (req, res) => {
-  const dbPath = path.join(__dirname, '../data/browserfest-submissions.json')
-  utils.checkForJSONArrayFile(req, res, dbPath, () => {
-    const bfsubs = JSON.parse(fs.readFileSync(dbPath, 'utf8'))
-    if (bfsubs) {
-      bfsubs.push(req.body)
-      fs.writeFile(dbPath, JSON.stringify(bfsubs, null, 2), (err) => {
-        if (err) res.json({ success: false, error: err })
-        else res.json({ success: 'success' })
-      })
-    } else {
-      res.json({ error: 'there was an error with the database.' })
-    }
-  })
-})
-
-// GET ........
-
-router.use(express.static(path.join(__dirname, '../data/browserfest-thumbnails')))
-
-router.get('/api/browserfest/submissions', (req, res) => {
-  const dbPath = path.join(__dirname, '../data/browserfest-submissions.json')
-  const bfsubs = JSON.parse(fs.readFileSync(dbPath, 'utf8'))
-  // NOTE: this will overwrite our "utils.corsGate" (leaving here for future ref)
-  // res.set({
-  //   'Access-Control-Allow-Origin': '*',
-  //   'Access-Control-Allow-Methods': 'GET'
-  // })
-  const msg = 'welcome h4x0r! to BrowserFest\'s API, here\'s that R4W data!'
-  if (bfsubs) res.json({ success: msg, data: bfsubs })
-  else res.json({ error: 'there was an error with the database.' })
-})
-
 module.exports = router
diff --git a/package.json b/package.json
index 6a810b44..d1be9b7d 100644
--- a/package.json
+++ b/package.json
@@ -21,9 +21,11 @@
     "url": "https://github.com/netizenorg/netnet.studio/issues"
   },
   "homepage": "https://github.com/netizenorg/netnet.studio/wiki",
+  "standard": {
+    "globals": ["fetch"]
+  },
   "dependencies": {
     "@octokit/core": "^3.1.2",
-    "axios": "^0.20.0",
     "body-parser": "^1.19.0",
     "cookie-parser": "^1.4.5",
     "device": "^0.3.11",
diff --git a/server.js b/server.js
index 4ac93931..b6eda0c4 100644
--- a/server.js
+++ b/server.js
@@ -37,11 +37,20 @@ if (process.env.CURTAIN) {
   })
 }
 
+app.use((req, res, next) => {
+  res.setHeader('X-Content-Type-Options', 'nosniff')
+  res.setHeader('X-Frame-Options', 'SAMEORIGIN')
+  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin')
+  res.setHeader('Strict-Transport-Security', 'max-age=63072000; includeSubDomains')
+  next()
+})
+
 app.use('/api', utils.corsGate)
 app.use(ROUTES)
 app.use(GITHUB)
-app.use(express.static(`${__dirname}/www`))
-app.use('/docs', express.static(`${__dirname}/docs`))
+const staticCORS = (res) => res.setHeader('Access-Control-Allow-Origin', '*')
+app.use(express.static(`${__dirname}/www`, { setHeaders: staticCORS }))
+app.use('/docs', express.static(`${__dirname}/docs`, { setHeaders: staticCORS }))
 app.use(ERRORS.notFound)
 app.use(ERRORS.errorHandler)
 
diff --git a/www/core/main.js b/www/core/main.js
index 4ac1ae62..b26036e5 100644
--- a/www/core/main.js
+++ b/www/core/main.js
@@ -59,6 +59,7 @@ nn.on('resize', (e) => {
 nn.on('message', (e) => {
   if (e.data.type === 'iframe-error') WIDGETS['code-review'].review({ error: e })
   else if (e.data.type === 'netnet-bg') utils.updateAllShadows(e)
+  else if (e.data.type === 'iframe-sensor-blocked') WIDGETS['code-review'].handleSensorBlocked()
 })
 
 // update default background on mouse movement
diff --git a/www/core/netitor b/www/core/netitor
index c6987751..4ef28d1e 160000
--- a/www/core/netitor
+++ b/www/core/netitor
@@ -1 +1 @@
-Subproject commit c69877518847a171eff9f85dfebe0b17f60d63b7
+Subproject commit 4ef28d1e2cd418e33e4d9b2c5d3dd5a09c03265a
diff --git a/www/core/styles/utils.css b/www/core/styles/utils.css
index c03f520a..72add2d6 100644
--- a/www/core/styles/utils.css
+++ b/www/core/styles/utils.css
@@ -89,20 +89,6 @@
   white-space: nowrap;
 }
 
-/* BROWSERFEST BUTTON */
-.opt-rainbow-bg {
-  background-image: linear-gradient(to right, #ffa50066, #ffff0066, #00800066, #00ffff66, #0000ff66, #ee82ee66) !important;
-  background-position-x: 0;
-  animation: opt-pan-rainbow 5s infinite;
-  animation-timing-function: linear;
-}
-
-@keyframes opt-pan-rainbow {
-  0% { background-position-x: 0px; }
-  100% { background-position-x: 182px; }
-}
-
-
 /* selecting */
 body {
   user-select: auto;
diff --git a/www/core/utils-convo.js b/www/core/utils-convo.js
index 635431ba..a75b7bc6 100644
--- a/www/core/utils-convo.js
+++ b/www/core/utils-convo.js
@@ -77,9 +77,17 @@ window.CONVOS['utils-misc'] = (self) => {
   }, {
     before: () => { if (NNW.layout === 'welcome') NNW.layout = 'dock-left' },
     id: 'agree-to-fork',
-    content: 'How exciting! In order to create your own remix of this project I\'m going to "<a href="https://guides.github.com/activities/forking/" target="_blank">fork</a>" it to your GitHub. Forking creates an associated copy onto your account. Sounds good?',
+    content: 'How exciting! In order to create your own remix of this project I\'m going to "<a href="https://guides.github.com/activities/forking/" target="_blank">fork</a>" it to your GitHub. Forking creates an associated copy in your account. One thing to keep in mind is that I\'ll be downloading this project\'s code and running it in your browser, so make sure you trust the creator of this repo. Sounds good?',
     options: {
-      'let\'s do it!': (e) => utils.forkRepo(),
+      'I trust it, let\'s do it!': (e) => utils.forkRepo(),
+      'trust?': (e) => e.goTo('trust-code'),
+      'oh, never mind': (e) => e.hide()
+    }
+  }, {
+    id: 'trust-code',
+    content: 'You didn\'t write this code, so it\'s important to trust the person who did. This is true anytime you run someone else\'s code in your environment, this could mean importing a library someone else wrote into your own project, installing a new extention in your browser or even installing an app you downloaded to your computer. If you didn\'t write the code, always make sure it\'s coming from a tusted source!',
+    options: {
+      'I trust it, let\'s fork!': (e) => utils.forkRepo(),
       'oh, never mind': (e) => e.hide()
     }
   }, {
diff --git a/www/core/utils.js b/www/core/utils.js
index 4ae154a1..4d23fdd4 100644
--- a/www/core/utils.js
+++ b/www/core/utils.js
@@ -180,10 +180,11 @@ window.utils = {
 
   function bgmovement (e) {
     // send mousemovments back up to netnet
+    // '*' required: iframe may be sandboxed (null origin)
     window.top.postMessage({
       type: 'netnet-bg',
       data: { x: e.x, y: e.y }
-    })
+    }, '*')
   }
 
   function reduceMotion () {
@@ -209,7 +210,7 @@ window.utils = {
     NNE.iframe.contentWindow.postMessage({
       type: 'netnet',
       data: { x: e.x, y: e.y, nomotion }
-    })
+    }, '*')
   },
 
   forkRepo: () => {
@@ -448,7 +449,7 @@ window.utils = {
       return 'demo'
     } else if (url.template) {
       window.utils.loadTemplate(url.template)
-      return 'demo'
+      return 'template'
     } else {
       return 'none'
     }
@@ -491,6 +492,7 @@ window.utils = {
   },
 
   loadFromCodeHash: (layout) => {
+    NNE.iframe.setAttribute('sandbox', 'allow-scripts allow-forms allow-popups allow-modals allow-pointer-lock')
     NNE.code = ''
     if (layout) NNW.layout = layout
     window.utils.afterLayoutTransition(() => {
@@ -548,6 +550,14 @@ window.utils = {
         window.utils._Convo('oh-no-error')
         return
       }
+      // sandbox only when the repo belongs to someone else
+      const o = WIDGETS['student-session'].getData('owner')
+      const isOwner = o && o === a[0]
+      if (isOwner) {
+        NNE.iframe.removeAttribute('sandbox')
+      } else {
+        NNE.iframe.setAttribute('sandbox', 'allow-scripts allow-forms allow-popups allow-modals allow-pointer-lock')
+      }
       window.utils.setCustomRenderer(base, proxy)
 
       NNE.code = ''
@@ -559,8 +569,7 @@ window.utils = {
           if (!NNE.autoUpdate) NNE.update()
         }, 10)
         window.utils.fadeOutLoader(false)
-        const o = WIDGETS['student-session'].getData('owner')
-        if (o && o === a[0]) {
+        if (isOwner) {
           window.utils._Convo('remix-github-project-logged-in-as-owner')
         } else if (o) {
           window.utils._Convo('remix-github-project-logged-in')
@@ -587,6 +596,7 @@ window.utils = {
       // before they got redirected over to GitHub to auth...
       const decoded = NNE._decode(code.substr(6))
       window.utils.setCustomRenderer(null)
+      NNE.iframe.removeAttribute('sandbox')
       NNE.code = decoded
       NNW.layout = 'dock-left'
       window.utils.afterLayoutTransition(() => {
@@ -709,6 +719,9 @@ window.utils = {
   // •.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*
 
   cancelAllNetitorUses: (exception) => {
+    // remove security (would have been added if they loaded external sketch)
+    NNE.iframe.removeAttribute('sandbox')
+
     const hasException = (s) => {
       if (exception instanceof Array) {
         return exception.includes(s)
@@ -756,9 +769,17 @@ window.utils = {
   // main.js listens for these errors + sends them to 'code-review' widget
   setCustomRenderer: (base, proxy) => {
     const errMsgr = `<script>
-      window.onerror = function (message, source, lineno) {
-        window.parent.postMessage({ type: 'iframe-error', message, source, lineno }, '*')
-      }
+      window.addEventListener('error', function (e) {
+        if (e.message) window.parent.postMessage({ type: 'iframe-error', message: e.message, source: e.filename, lineno: e.lineno }, '*')
+      }, true)
+      var _nnW = new WeakSet()
+      function _nnRes (n) { if (n.nodeType !== 1 || _nnW.has(n)) return; var s = n.src || n.href; if (!s) return; _nnW.add(n); n.addEventListener('error', function () { window.parent.postMessage({ type: 'iframe-error', src: n.src || n.href }, '*') }) }
+      new MutationObserver(function (ms) { ms.forEach(function (m) { if (m.type === 'childList') m.addedNodes.forEach(_nnRes); else _nnRes(m.target) }) }).observe(document.documentElement || document, { childList: true, subtree: true, attributes: true, attributeFilter: ['src', 'href'] })
+      window.addEventListener('unhandledrejection', function (e) {
+        if (e.reason && (e.reason.name === 'NotAllowedError' || e.reason.name === 'SecurityError')) {
+          window.parent.postMessage({ type: 'iframe-sensor-blocked' }, '*')
+        }
+      })
     </script>`
     if (!base) {
       NNE.customRender = function (event) { event.update(errMsgr + event.code) }
@@ -772,7 +793,7 @@ window.utils = {
   },
 
   hideConvoIf: () => { // on cursor activity, hide convo if it's one of these
-    const ids = ['returning-student', 'what-to-do', 'blank-canvas-ready', 'how-to-code', 'demo-example', 'browserfest', 'remix-github-project-logged-in', 'remix-github-project-logged-in-as-owner', 'remix-github-project-logged-out', 'remix-github-project-auth-redirect', 'gh-redirected']
+    const ids = ['returning-student', 'what-to-do', 'blank-canvas-ready', 'how-to-code', 'demo-example', 'remix-github-project-logged-in', 'remix-github-project-logged-in-as-owner', 'remix-github-project-logged-out', 'remix-github-project-auth-redirect', 'gh-redirected']
     if (window.convo && ids.includes(window.convo.id)) {
       window.convo.hide()
     }
diff --git a/www/widgets/browser-fest/convo.js b/www/widgets/browser-fest/convo.js
deleted file mode 100644
index ddb4b0f1..00000000
--- a/www/widgets/browser-fest/convo.js
+++ /dev/null
@@ -1,47 +0,0 @@
-/* global WIDGETS, Convo, NNE, NNW, utils */
-window.CONVOS['browser-fest'] = (self) => {
-  const ssw = WIDGETS['student-session']
-  return [{
-    id: 'browserfest',
-    content: 'BrowserFest is an online competition and celebration of creative coding on the web! Submissions are open through April 5th. Submit your sketches and remix others’ in a chance to win prizes, fame, and glory. For workshops and other ways to connect, visit <a href="https://browserfest.netizen.org/" target="_blank">browserfest.netizen.org</a>',
-    options: {
-      'sounds cool!': (e) => e.hide()
-    }
-  }, {
-    id: 'bf-no-login',
-    content: 'To submit to <a href="https://browserfest.netizen.org/" target="_blank">BrowserFest</a>, you need to be logged into GitHub. Let\'s get connected to your GitHub account!',
-    options: {
-      'how do I do that?': (e) => {
-        window.convo = new Convo(ssw.convos, 'github-auth')
-      },
-      'what\'s GitHub?': (e) => e.goTo('what-is-github')
-    }
-  }, {
-    id: 'what-is-github',
-    content: 'GitHub is a platform where coders share their open source projects and collaborate with each other. Your GitHub account is sort of like your code "portfolio"',
-    options: {
-      'cool, how do I get started?': (e) => {
-        window.convo = new Convo(ssw.convos, 'goto-github')
-      }
-    }
-  }, {
-    id: 'req-project',
-    content: 'To submit to <a href="https://browserfest.netizen.org/" target="_blank">BrowserFest</a>, you need to have a project open. Do you want to open a saved project or would you like to create a new one?',
-    options: {
-      'open a project I made earlier': (e) => {
-        WIDGETS['coding-menu'].openProject()
-      },
-      'start a new project': (e) => {
-        if (NNW.layout === 'welcome') {
-          if (utils.btoa(NNE.code) === utils.starterCodeB64) { NNE.code = '' }
-          NNW.layout = 'dock-left'
-          window.utils.afterLayoutTransition(() => {
-            setTimeout(() => NNE.cm.refresh(), 10)
-            // THIS WAS REMOVED IN FILES + FOLDERS REFACTOR
-            // WIDGETS['coding-menu'].newProject()
-          })
-        }
-      }
-    }
-  }]
-}
diff --git a/www/widgets/browser-fest/index.js b/www/widgets/browser-fest/index.js
deleted file mode 100644
index 73746c92..00000000
--- a/www/widgets/browser-fest/index.js
+++ /dev/null
@@ -1,237 +0,0 @@
-/* global WIDGETS, Widget, nn, Convo, utils */
-class BrowserFest extends Widget {
-  constructor (opts) {
-    super(opts)
-    this.key = 'browser-fest'
-    this.listed = true
-    this.keywords = ['browserfest', 'submission']
-
-    this.title = 'BrowserFest Submission'
-    this.width = 600
-
-    this.on('open', () => {
-      this.owner = WIDGETS['student-session'].getData('owner')
-      // NOTE: this used to query for 'opened-project' in student-session
-      // but that has since been removed, this has been replaced with
-      // 'project-files' data (but has not been tested)
-      this.repo = WIDGETS['project-files']?.projectData.name
-      this.branch = WIDGETS['project-files']?.projectData.branch
-      this._createHTML()
-    })
-
-    this._createFileUploader()
-  }
-
-  submit () {
-    if (this.convos) {
-      const owner = WIDGETS['student-session'].getData('owner')
-      const repo = WIDGETS['project-files']?.projectData.name
-      if (!owner) {
-        window.convo = new Convo(this.convos, 'bf-no-login')
-      } else if (!repo) {
-        window.convo = new Convo(this.convos, 'req-project')
-      } else {
-        this.open()
-        window.convo = new Convo(this.convos, 'browserfest')
-      }
-    } else {
-      Convo.load(this.key, () => {
-        this.convos = window.CONVOS[this.key](this)
-        this.submit()
-      })
-    }
-  }
-
-  _preSubmitForkCheck () {
-    const validity = this.$('[name="email"]').validity
-    const url = this.$('[name="url"]').validity
-    if (validity.valueMissing || validity.typeMismatch) {
-      window.alert('please enter a valid email, we gotta be able to get in touch with you')
-      return
-    } else if (!url.valueMissing && url.typeMismatch) {
-      window.alert('please enter a valid URL or leave that field blank')
-      return
-    }
-
-    const imgName = `${this.owner}-${Date.now()}`
-    const data = {
-      owner: this.owner,
-      repo: this.repo,
-      branch: this.branch,
-      email: this.$('[name="email"]').value,
-      author: this.$('[name="author"]').value,
-      title: this.$('[name="title"]').value || 'unititled',
-      url: this.$('[name="url"]').value,
-      description: this.$('[name="description"]').value,
-      date: Date.now()
-    }
-
-    this._submittingHTML()
-
-    const repoData = { owner: this.owner, repo: this.repo }
-    utils.post('/api/github/repo-data', repoData, (json) => {
-      if (json.data.fork) {
-        data.fork = {
-          owner: json.data.parent.owner.login,
-          repo: json.data.parent.name,
-          branch: json.data.parent.default_branch
-        }
-      } else { data.fork = false }
-      this._submitToBF(data, imgName)
-    })
-  }
-
-  _submitToBF (data, imgName) {
-    const submitData = (data) => {
-      utils.post('./api/browserfest/submission', data, (json) => {
-        console.log(json)
-        if (json.success) {
-          this.innerHTML = `<p>Your project, ${data.title} has been submitted! You should see it displayed in the <a href="https://browserfest.netizen.org/gallery.html" target="_blank">BrowserFest Demo Gallery</a> soon.</p>`
-        } else {
-          this.innerHTML = '<p>Dang! seems there was an error (peep the conosle)! Close this widget and try again maybe? If you keep having troulbe send us an email: h<i></i>i@net<i></i>izen.org</p>'
-        }
-      })
-    }
-
-    if (this._bfthumb) {
-      const ext = this._bfthumb.type.split('/')[1]
-      data.thumbnail = `https://netnet.studio/${imgName}.${ext}`
-      const formData = new window.FormData()
-      formData.append('image', this.fu.input.files[0], data.thumbnail)
-      window.fetch('api/browserfest/upload-image', { method: 'POST', body: formData })
-        .then(res => res.json())
-        .then(json => { if (json.success) submitData(data) })
-        .catch(err => console.error(err))
-    } else { submitData(data) }
-  }
-
-  // ---------------------------------------------------------------------------
-  // ----------------------------------------------------------- innerHTML -----
-
-  _createFileUploader () {
-    this.fu = new nn.FileUploader({
-      maxSize: 5000,
-      types: ['image/jpeg', 'image/png', 'image/gif'],
-      ready: (file) => {
-        this.$('[name="thumbnail-name"]').textContent = file.name
-        this._bfthumb = file
-      },
-      error: (err) => {
-        window.alert('oops! there was an issue (peep the console)')
-        console.error(err)
-      }
-    })
-  }
-
-  _submittingHTML () {
-    const uploadSvg = `
-    <?xml version="1.0" encoding="utf-8"?>
-    <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-         viewBox="0 75 500 200" style="enable-background:new 0 0 500 350;" xml:space="preserve">
-      <style type="text/css">
-        .fill-color {
-          fill:#D593CD;
-        }
-        .stroke-color {
-          stroke:#D593CD;
-        }
-        .st1{fill:none;stroke-width:2;stroke-miterlimit:10;}
-        .st2{enable-background:new;}
-        .st3{fill:transparent;stroke-width:1;stroke-miterlimit:10;}
-        .st4{fill:transparent;stroke-width:1;stroke-miterlimit:10;}
-        .st6{font-family:'fira-mono-regular';}
-        .st7{font-size:10.1238px;}
-      </style>
-      <g>
-        <path class="fill-color" d="M391,137c1.65,0,3,1.35,3,3v67H290v-67.01c0-1.65,1.34-2.99,2.99-2.99L391,137 M391,135h-98.01
-          c-2.75,0-4.99,2.23-4.99,4.99v69c0,0.01,0.01,0.02,0.02,0.02h107.97c0.01,0,0.02-0.01,0.02-0.02V140C396,137.24,393.76,135,391,135
-          L391,135z"/>
-      </g>
-      <g>
-        <path class="fill-color" d="M151.26,137l6.44,5.52l6.3,5.4V207h-57v-70H151.26 M152,135h-47v74h61v-62l-7-6L152,135L152,135z"/>
-      </g>
-      <polyline class="st1 stroke-color" points="152,136.9 152,148 165,147.9 "/>
-      <g class="st2">
-        <path class="fill-color" d="M321.02,163.53c2.1,0,3.87,0.73,5.31,2.2c1.45,1.47,2.16,3.27,2.16,5.42c0,1.41-0.44,2.77-1.31,4.07
-          c-0.67,1.01-1.57,1.81-2.68,2.4c-1.12,0.59-2.3,0.89-3.55,0.89c-2.03,0-3.78-0.74-5.26-2.22c-1.47-1.49-2.2-3.25-2.2-5.28
-          c0-1.06,0.23-2.09,0.7-3.1c0.47-1.01,1.11-1.87,1.93-2.58C317.51,164.14,319.15,163.53,321.02,163.53z M321.02,164.51
-          c-1.82,0-3.37,0.63-4.64,1.89c-1.27,1.26-1.9,2.8-1.9,4.6l6.52,0.03L321.02,164.51z"/>
-      </g>
-      <g class="st2">
-        <path class="fill-color" d="M362.02,163.53c2.1,0,3.87,0.73,5.31,2.2c1.45,1.47,2.16,3.27,2.16,5.42c0,1.41-0.44,2.77-1.31,4.07
-          c-0.67,1.01-1.57,1.81-2.68,2.4c-1.12,0.59-2.3,0.89-3.55,0.89c-2.03,0-3.78-0.74-5.26-2.22c-1.47-1.49-2.2-3.25-2.2-5.28
-          c0-1.06,0.23-2.09,0.7-3.1c0.47-1.01,1.11-1.87,1.93-2.58C358.51,164.14,360.15,163.53,362.02,163.53z M362.02,164.51
-          c-1.82,0-3.37,0.63-4.64,1.89c-1.27,1.26-1.9,2.8-1.9,4.6l6.52,0.03L362.02,164.51z"/>
-      </g>
-      <g class="st2">
-        <path class="fill-color" d="M337,177.97l-0.01-1.01c2.07-0.14,3.75-0.84,5.01-2.12c1.27-1.27,1.9-2.89,1.9-4.84l1.07,0.03
-          c-0.02,0.18-0.03,0.31-0.03,0.39c-0.06,0.94-0.23,1.78-0.52,2.5c-0.29,0.72-0.73,1.47-1.34,2.24c-0.65,0.81-1.53,1.49-2.63,2.02
-          s-2.17,0.8-3.2,0.8C337.23,177.99,337.15,177.98,337,177.97z"/>
-      </g>
-      <path class="st4 loading-bar stroke-color" d="M195,182.92h-8c-1.1,0-2-0.53-2-1.18v-9.48c0-0.65,0.9-1.18,2-1.18h8c1.1,0,2,0.53,2,1.18v9.48
-    C197,182.39,196.1,182.92,195,182.92z"/>
-      <path class="st3 loading-bar stroke-color" d="M213,182.92h-8c-1.1,0-2-0.53-2-1.18v-9.48c0-0.65,0.9-1.18,2-1.18h8c1.1,0,2,0.53,2,1.18v9.48
-    C215,182.39,214.1,182.92,213,182.92z"/>
-      <path class="st3 loading-bar stroke-color" d="M231,182.92h-8c-1.1,0-2-0.53-2-1.18v-9.48c0-0.65,0.9-1.18,2-1.18h8c1.1,0,2,0.53,2,1.18v9.48
-    C233,182.39,232.1,182.92,231,182.92z"/>
-      <path class="st3 loading-bar stroke-color" d="M249,182.92h-8c-1.1,0-2-0.53-2-1.18v-9.48c0-0.65,0.9-1.18,2-1.18h8c1.1,0,2,0.53,2,1.18v9.48
-    C251,182.39,250.1,182.92,249,182.92z"/>
-      <path class="st3 loading-bar stroke-color" d="M267,182.92h-8c-1.1,0-2-0.53-2-1.18v-9.48c0-0.65,0.9-1.18,2-1.18h8c1.1,0,2,0.53,2,1.18v9.48
-    C269,182.39,268.1,182.92,267,182.92z"/>
-    </svg>
-    <p style="text-align: center">...submitting your project to BrowserFest...</p>
-    `
-
-    const svgContainer = document.createElement('div')
-    svgContainer.className = 'files-widget__overlay__svg'
-    svgContainer.innerHTML = uploadSvg
-    this.innerHTML = svgContainer
-  }
-
-  _createHTML () {
-    if (!this.owner || !this.repo) {
-      this.innerHTML = `
-        <p>You don't have a project currently open. In order to submit to <a href="https://browserfest.netizen.org/" target="_blank">BrowserFest</a>, open an old project or create a new one and then I can submit it for you. To create a new project (rather than simply a sketch) you need to connect me to your <a href="https://github.com" target="_blank">GitHub</a> account. If you don't already have a GitHub account you can <a href="https://github.com/join" target="_blank">create one for free</a>.</p>
-      `
-      return
-    }
-
-    this.innerHTML = `
-      <style>
-        .__bf-sub {
-          background-color: var(--netizen-meta);
-          font-family: 'fira-mono-regular', monospace;
-          color: var(--netizen-hint-color);
-          padding: 6px;
-          border: none;
-          margin: 6px;
-          width: 250px;
-          border-radius: 5px;
-        }
-      </style>
-      <div>
-        <input class="input input--lg" type="text" name="author" placeholder="name (alias, handle)">
-        <input class="input input--lg" type="email" name="email" placeholder="email (required)" required class="__bf-sub"><br>
-        <input class="input input--lg" type="text" name="title" placeholder="demo title">
-        <input class="input input--lg" type="url" class="__bf-sub" name="url" placeholder="url (homepage, github or social)"><br>
-        <textarea name="description" class="__bf-sub" style="width: 516px; height: 126px;" placeholder="demo description. instructions (anything you want the judges to know?), attribution (credit for media, assets, code snippets. this should also be in your comments) shoutouts (folks who helped, folks you respect. always a good idea to include these in the demo itself)"></textarea>
-        <br>
-        <button class="pill-btn pill-btn--secondary" name="thumbnail">Upload Thumbnail</button>
-        <span name="thumbnail-name"></span>
-        <button class="pill-btn pill-btn--secondary" name="submit" style="float:right">Submit to BrowserFest</button>
-      </div>
-    `
-
-    const thumb = this.$('[name="thumbnail"]')
-    thumb.style.color = 'var(--netizen-hint-color)'
-    thumb.style.backgroundColor = 'var(--netizen-meta)'
-    thumb.style.borderRadius = '5px'
-    thumb.style.margin = '6px'
-    thumb.addEventListener('click', () => this.fu.input.click())
-
-    this.$('[name="submit"]')
-      .addEventListener('click', () => this._preSubmitForkCheck())
-  }
-}
-
-window.BrowserFest = BrowserFest
diff --git a/www/widgets/browser-fest/styles.css b/www/widgets/browser-fest/styles.css
deleted file mode 100644
index e69de29b..00000000
diff --git a/www/widgets/code-review/convo.js b/www/widgets/code-review/convo.js
index 8edffe5d..284daaa4 100644
--- a/www/widgets/code-review/convo.js
+++ b/www/widgets/code-review/convo.js
@@ -91,6 +91,48 @@ window.CONVOS['code-review'] = (self) => {
   },
   // console error convos
   {
+    id: 'sandbox-security-error',
+    content: 'It looks like you\'re trying to use browser storage (like <code>localStorage</code>, <code>sessionStorage</code>, or <code>indexedDB</code>). This sketch was loaded from an external source, so it runs in a <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/iframe#sandbox" target="_blank">sandboxed</a> iframe for security, which blocks browser storage APIs. If you\'d like to use this API start a new sketch or open your own project.',
+    options: {
+      'ok, got it': (e) => e.hide(),
+      'what\'s a project?': (e) => e.goTo('sandbox-security-error-project')
+    }
+  }, {
+    id: 'sandbox-security-error-project',
+    content: 'Unlike a sketch (which is a single HTML file) a project is a folder that can hold unlimited files, including code, images, fonts, and sounds. To get started, click my face to open the <b>Coding Menu</b> and connect your GitHub account. Browser storage APIs like localStorage will work as expected in projects',
+    options: {
+      'ok thanks': (e) => e.hide()
+    }
+  }, {
+    id: 'sensor-sandbox-blocked',
+    content: 'It looks like this sketch tried to access the camera, microphone, or location. This sketch was loaded from an external source, so it runs in a <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/iframe#sandbox" target="_blank">sandboxed</a> iframe for security, which blocks some browser APIs. If you trust the author of this sketch I can remove those protections?',
+    options: {
+      'trust?': (e) => e.goTo('sensor-sandbox-trust'),
+      'yes, I trust the author': (e) => {
+        NNE.iframe.removeAttribute('sandbox')
+        NNE.update()
+        e.goTo('sensor-remove-sandbox')
+      },
+      'oh, never mind': (e) => { e.hide(); window.convo = null }
+    }
+  }, {
+    id: 'sensor-sandbox-trust',
+    content: 'If you didn\'t write this code it\'s important to trust the person who did. This is true anytime you run someone else\'s code in your environment, this could mean importing a library someone else wrote into your own sketch, installing a new extention in your browser or even installing an app you downloaded to your computer. If you didn\'t write the code, always make sure it\'s coming from a tusted source!',
+    options: {
+      'Oh, never mind': (e) => e.hide(),
+      'I see, yes I trust this!': (e) => {
+        NNE.iframe.removeAttribute('sandbox')
+        NNE.update()
+        e.goTo('sensor-remove-sandbox')
+      }
+    }
+  }, {
+    id: 'sensor-remove-sandbox',
+    content: 'Great! I\'ve removed the security sandbox, you should now be able to access the camera, microphone, location and other previously blocked browser APIs.',
+    options: {
+      'ok thanks': (e) => e.hide()
+    }
+  }, {
     id: 'custom-renderer-error',
     content: `<i>Your browser passed me this error</i>:<br><span style="font-family: fira-code, inconsolata, monospace">${self.error.message}</span>`,
     options: {
diff --git a/www/widgets/code-review/index.js b/www/widgets/code-review/index.js
index 81141ba3..32e1031f 100644
--- a/www/widgets/code-review/index.js
+++ b/www/widgets/code-review/index.js
@@ -13,6 +13,8 @@ class CodeReview extends Widget {
     this.tempCode = null
     this.issues = [] // issues netnet catches via linting
     this.error = {} // last error passed by browser console
+    this._resourceErrors = [] // failed resource URLs from iframe capture listener
+    this._runtimeError = null // last JS runtime error; persists across review() calls
     this._createHTML()
 
     this.on('open', () => this._opened())
@@ -21,18 +23,55 @@ class CodeReview extends Widget {
     Convo.load(this.key, () => { this.convos = window.CONVOS[this.key](this) })
   }
 
+  /*
+    NOTE: this has gone through a lot of upates/changes over time, it may need
+    some refactoring at some point, when we do that, lets use this to test:
+
+    http://localhost:8001/?layout=dock-left#code/eJxlks1SgzAQx+99ip1coKMm9w5w8aQHPdQXSMMCsSTBzaJ2Or67CdSv8QIzu/+PHwnVIbSnZrMBqKzrIZKpxcA8xZ1SBwpH9DczjdIEp5yN0fpeTr4XoEeuxWUC1ukeRZNCco6GgbCrhWllbzsBbXjzY9BtLZjmJGOM/D2slF7bnba+kVK+acu5RcpKLbOVrSPt8Acv0eVXFwhfkRY80VRqla2WaMhO3AAsVAAm+NSbI6FO9WZ26Fm+zEinPY5oOFBZ5HWxXfQdshnKQunJqt7yMB/UHJF8Kiiu4QyGsE0JVo9xB0VM45tAtk9++FgTACQP6EuCugGSzzH4cvt31WrWeZt7pfUe6QnfOQHe7x8fZGRKR2G706L7sRqd0TAbz/+txWEM5ohtooIrwC+a5ZE2etynT00XJiPyHaMrhTvdahbXIJ6CE7/UXQjl9nKr6nKem0otv8wnjiKvJg==
+
+    for security purposes, we've updated the way the render iframe works so that
+    when loading external/third-party code (shortcode URLs, #code/ hashes,
+    non-owned GitHub repos) the iframe gets sandboxed. while working on these
+    updats I ran into a number of side-effects, which then required updates to
+    this widget and how it handled a set of special error cases. And so, if we
+    update things in the future we need to first confirm that the sandbox is
+    still in place, the fetch request in the test sketch should update <main>
+    with the "blocked" message (NOT a GitHub payload)
+
+    we should also see 4 error markers in this sketch:
+    1. a CORS error on line 3 for the <img>
+    2. a warning about download attributes on line 5
+    3. a mixed-content warning for the <iframe> on line 9
+    4. a localStorage warning on line 18
+
+    also, if we address the localStorage error we should see:
+    5. a browser/console reference error for foo() on line 20
+
+  */
+
   review (obj = {}) {
     // update issues passed to .review({ issues }) from main.js
-    if (obj.issues) this.issues = obj.issues
-    // check for any custom issues
-    this._checkForMixedContent()
-    // mark all linted issues
+    if (obj.issues) {
+      this.issues = obj.issues
+      this._resourceErrors = [] // code changed — clear stale resource errors
+      this._runtimeError = null // code changed — clear stale runtime error
+    }
     const c = WIDGETS['student-session']
       ? WIDGETS['student-session'].getData('chattiness') : null
-    if (c && c !== 'low') this._markIssues(this.issues, true)
+    // clear markers before _updateError adds its runtime error marker so it isn't wiped
+    if (c && c !== 'low') NNE.clearMarkers(['orange', 'red'])
     else NNE.marker(null)
+    // check for any custom issues
+    this._checkForMixedContent()
+    this._checkForDownloadLinks()
     // update errors passed to .review({ error }) from main.js
+    // must run before _checkForResourceErrors (may push to this._resourceErrors)
     this._updateError(obj.error)
+    this._checkForResourceErrors()
+    // mark all linted issues (false = don't clear, _applyRuntimeMarker handles that)
+    if (c && c !== 'low') this._markIssues(this.issues, false)
+    // re-apply runtime error marker last so _markIssues can't clear it
+    this._applyRuntimeMarker()
     // update this code review widget's view
     this._reviewIssues()
   }
@@ -50,6 +89,14 @@ class CodeReview extends Widget {
     this._markIssues(this.issues, false)
   }
 
+  handleSensorBlocked () {
+    const c = 'sensor-sandbox-blocked'
+    if (NNE.iframe.hasAttribute('sandbox') && window.convo?.id !== c) {
+      this.convos = window.CONVOS[this.key](this)
+      window.convo = new Convo(this.convos, c)
+    }
+  }
+
   // •.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.••.¸¸¸.•*• private methods
   // •.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*
 
@@ -60,12 +107,17 @@ class CodeReview extends Widget {
     const c = ss ? ss.getData('chattiness') : null
     // event object from 'onerror' event injected into iframe either via
     // utils.setCustomRenderer (sketch) or files-db-service-worker.js (project)
+    if (event?.data?.type === 'iframe-error' && event.data.src) {
+      // resource load failure (img, script, link) — queue for _checkForResourceErrors
+      this._resourceErrors.push(event.data.src)
+      return
+    }
     if (c && c !== 'low' && event?.data && event?.data.type === 'iframe-error') {
       // these are the number of lines added to the top of the file before rendering
       // (see errMsgr in utils.setCustomRenderer)
-      const diff = 4
+      const diff = 12
       const message = event.data.message
-      let file = event.data.source.includes('.') ? event.data.source : null
+      let file = event.data.source?.includes('.') ? event.data.source : null
       let line = event.data.lineno - diff
 
       // if project, ensure only showing errors on current file
@@ -75,18 +127,26 @@ class CodeReview extends Widget {
         if (!file.endsWith('.html')) line += diff
       }
 
-      // add error markers (aka _markErrors)
-      const m = NNE.marker(line, 'red', () => {
-        // _explainError
-        this.error = { message, line, file }
-        this.convos = window.CONVOS[this.key](this)
-        window.convo = new Convo(this.convos, 'custom-renderer-error')
-      })
-      m.setAttribute('title', message)
-      m.dataset.err = JSON.stringify({ message, line, file })
+      // detect sandbox security errors (localStorage, sessionStorage, indexedDB, etc.)
+      const isSandboxErr = message.includes('allow-same-origin') || message.toLowerCase().includes('sandboxed')
+      // store so review() can re-apply the marker after _markIssues clears markers
+      this._runtimeError = { message, line, file, isSandboxErr }
     }
   }
 
+  _applyRuntimeMarker () {
+    if (!this._runtimeError) return
+    const { message, line, file, isSandboxErr } = this._runtimeError
+    const convoId = isSandboxErr ? 'sandbox-security-error' : 'custom-renderer-error'
+    const m = NNE.marker(line, 'red', () => {
+      this.error = { message, line, file }
+      this.convos = window.CONVOS[this.key](this)
+      window.convo = new Convo(this.convos, convoId)
+    })
+    m.setAttribute('title', message)
+    m.dataset.err = JSON.stringify({ message, line, file })
+  }
+
   _findErrors () { // list console error objects
     return Array.from(document.querySelectorAll('.netitor-gutter-marker'))
       .filter(ele => ele.dataset.err)
@@ -164,6 +224,27 @@ class CodeReview extends Widget {
 
   // •.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸ CUSTOM ERRORS
 
+  _checkForResourceErrors () {
+    if (!this._resourceErrors.length) return
+    const lines = NNE.cm.getValue().split('\n')
+    this._resourceErrors.forEach(src => {
+      const parts = src.split('/')
+      const filename = parts[parts.length - 1]
+      lines.forEach((str, i) => {
+        if (!str.includes(src)) return
+        this.issues.push({
+          type: 'error',
+          language: 'html',
+          message: 'Failed to load: ' + src,
+          friendly: 'The file <b>' + filename + '</b> failed to load, it may be blocked by the server\'s <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS" target="_blank">CORS policy</a> or the URL may be incorrect.',
+          line: i + 1,
+          col: 0
+        })
+      })
+    })
+    this._resourceErrors = []
+  }
+
   _checkForMixedContent () {
     if (NNE.language !== 'html') return
     const before = ['src="', 'href="']
@@ -187,6 +268,25 @@ class CodeReview extends Widget {
     }
   }
 
+  _checkForDownloadLinks () {
+    if (NNE.language !== 'html') return
+    if (WIDGETS['project-files']?.projectData?.name) return // sandbox removed for projects
+    const lines = NNE.code.split(/\r?\n/)
+    for (let i = 0; i < lines.length; i++) {
+      const LINE = lines[i]
+      if (LINE.includes('<a') && /\bdownload\b/.test(LINE)) {
+        this.issues.push({
+          type: 'warning',
+          language: 'html',
+          message: 'download attribute blocked by sandbox',
+          friendly: 'This sketch was loaded from an external source, so it runs in a <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/iframe#sandbox" target="_blank">sandboxed</a> iframe for security, which blocks some browser APIs, including the <code>download</code> attribute on an anchor tag. However, if you use this attribute in your own sketch or project it will work as expected.',
+          line: i + 1,
+          col: LINE.indexOf('download')
+        })
+      }
+    }
+  }
+
   // •.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*
 
   _createHTML () {
diff --git a/www/widgets/coding-menu/index.js b/www/widgets/coding-menu/index.js
index dbb7c26f..2b3d815d 100644
--- a/www/widgets/coding-menu/index.js
+++ b/www/widgets/coding-menu/index.js
@@ -35,10 +35,6 @@ class CodingMenu extends Widget {
         key: 'tidy code',
         alts: ['tidy', 'format', 'clean', 'indent']
       }
-      // {
-      //   key: 'BrowserFest',
-      //   alts: []
-      // }
     ]
 
     this.editorSettingsMenu = [
@@ -92,15 +88,6 @@ class CodingMenu extends Widget {
     Convo.load(this.key, () => { this.convos = window.CONVOS[this.key](this) })
   }
 
-  // TEMPORARY
-  // BrowserFest () {
-  //   if (WIDGETS['browser-fest']) {
-  //     WIDGETS['browser-fest'].submit()
-  //   } else {
-  //     WIDGETS.load('browser-fest', (w) => w.submit())
-  //   }
-  // }
-
   // •.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*
   // •.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.••.¸¸¸.•*•. public methods
   // •.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*•.¸¸¸.•*
diff --git a/www/widgets/learning-guide/data/main-slide.html b/www/widgets/learning-guide/data/main-slide.html
index 2657fae8..6ff808cb 100644
--- a/www/widgets/learning-guide/data/main-slide.html
+++ b/www/widgets/learning-guide/data/main-slide.html
@@ -623,11 +623,5 @@ <h3 onclick="WIDGETS['learning-guide'].scrollTo('refs')">APPENDIX</h3>
 
 </main>
 
-<!-- <br>
-
-<center>
-  <button id="bf-submission" class="rainbow-bg">Submit to BrowserFest!!!</button>
-</center> -->
-
 <br>
 <br>
diff --git a/www/widgets/learning-guide/index.js b/www/widgets/learning-guide/index.js
index 58479dc8..14b68572 100644
--- a/www/widgets/learning-guide/index.js
+++ b/www/widgets/learning-guide/index.js
@@ -22,10 +22,6 @@ class LearningGuide extends Widget {
     // load widget card class
     utils.loadFile('widgets/learning-guide/data/widget-card.js', () => {
       this._createPage('mainOpts', 'main-slide.html', null, (div) => {
-        // div.querySelector('#bf-submission').addEventListener('click', () => {
-        //   WIDGETS['coding-menu'].BrowserFest()
-        // })
-
         // create sub pages
         this.subpages = [
           { id: 'aboutOpts', file: 'about.html', back: this.mainOpts },
diff --git a/www/widgets/learning-guide/styles.css b/www/widgets/learning-guide/styles.css
index 581e746d..b6702a67 100644
--- a/www/widgets/learning-guide/styles.css
+++ b/www/widgets/learning-guide/styles.css
@@ -423,23 +423,6 @@
     box-sizing: border-box;
   }
 
-
-
-/* BROWSERFEST BUTTON */
-.rainbow-bg {
-  background-image: linear-gradient(to right, #ffa50066, #ffff0066, #00800066, #00ffff66, #0000ff66, #ee82ee66) !important;
-  background-position-x: 0;
-
-  animation: pan-rainbow 5s infinite;
-  animation-timing-function: linear;
-}
-
-@keyframes pan-rainbow {
-  0% { background-position-x: 0px; }
-  100% { background-position-x: 182px; }
-}
-
-
 /*ARPANET SCANLINES EFFECT*/
 
 @keyframes scan {
diff --git a/www/widgets/project-files/convo.js b/www/widgets/project-files/convo.js
index 8f6e1ec7..f0b90ad5 100644
--- a/www/widgets/project-files/convo.js
+++ b/www/widgets/project-files/convo.js
@@ -463,19 +463,7 @@ window.CONVOS['project-files'] = (self) => {
     options: {
       ok: (e) => e.hide(),
       'beta?': (e) => e.goTo('beta')
-      // 'submit to BrowserFest': (e) => {
-      //   if (WIDGETS['browser-fest']) {
-      //     WIDGETS['browser-fest'].submit()
-      //   } else {
-      //     WIDGETS.load('browser-fest', (w) => w.submit())
-      //   }
-      // }
-    }
-    // ,
-    // after: () => {
-    //   document.querySelector('.text-bubble-options > button:nth-child(2)')
-    //     .classList.add('opt-rainbow-bg')
-    // }
+    }
   }, {
     id: 'beta',
     content: `This is the first version of the <b>Project Files</b> widget, it's still in "beta", meaning we're still actively developing it, so keep any eye out for bugs. If you run into issues or have any thoughts or suggestions, we appreciate constructive feedback, <a href="${window.location.origin}/docs/contributors/bug-report.html" target="_blank">submit an issue!</a>`,
diff --git a/www/widgets/project-files/index.js b/www/widgets/project-files/index.js
index ab820f65..88e95c58 100644
--- a/www/widgets/project-files/index.js
+++ b/www/widgets/project-files/index.js
@@ -1950,6 +1950,8 @@ class ProjectFiles extends Widget {
       console.error('ProjectFiles: no service worker support in this browser')
       return
     }
+    // project files need same-origin iframe so the SW can intercept requests
+    NNE.iframe.removeAttribute('sandbox')
 
     if (this.log) console.log('ProjectFiles: service worker loading')
 
diff --git a/www/widgets/tutorial-maker/index.js b/www/widgets/tutorial-maker/index.js
index f3154f17..6d495a35 100644
--- a/www/widgets/tutorial-maker/index.js
+++ b/www/widgets/tutorial-maker/index.js
@@ -296,7 +296,7 @@ class TutorialMaker extends Widget {
 
   _openPopup (type, payload) {
     const url = 'widgets/tutorial-maker/popups/index.html'
-    this.popup = window.open(url, 'tut-mkr-widget', 'width=485,height=167')
+    this.popup = window.open(url, 'tut-mkr-widget', 'width=485,height=234')
     // keep an eye on the pop up to see if it closed
     this.popupWatcher = setInterval(() => {
       if (this.popup && this.popup.closed) {
@@ -330,6 +330,8 @@ class TutorialMaker extends Widget {
   _setCustomRenderer () {
     // custom renderer so that the iframe gets resolved by the ServiceWorker
     const ready = navigator.serviceWorker.controller && this.hvp?.data
+    // tutorial files need same-origin iframe so the SW can intercept requests
+    if (ready) NNE.iframe.removeAttribute('sandbox')
     NNE.customRender = (eve) => {
       if (ready) {
         eve.iframe.src = `/TUTORIAL_MAKER/${this.hvp.data.id}/index.html`
diff --git a/www/widgets/tutorial-maker/popups/index.html b/www/widgets/tutorial-maker/popups/index.html
index 396821ed..227421d8 100644
--- a/www/widgets/tutorial-maker/popups/index.html
+++ b/www/widgets/tutorial-maker/popups/index.html
@@ -17,7 +17,7 @@
 
 <section id="start" class="overlay">
   <p>
-    Welcome to the Tutorial Maker! This widget can be used to create your own interactive netnet tutorials. To learn how take a look at the <a id="docs-link" href="#" target="_blank">Interactive Tutorial docs</a>.
+    Welcome to the Tutorial Maker! This widget can be used to load and/or create custom interactive netnet tutorials. To learn how create your own take a look at the <a id="docs-link" href="#" target="_blank">Interactive Tutorial docs</a>. If you're going to open a tutorial someone else made, make sure you trust the source because tutorials can run arbitrary code in your netnet environment.
   </p>
   <button id="new" class="pill-btn pill-btn--secondary">new</button>
   <button id="open" class="pill-btn pil-btn--secondary">open</button>