<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Hi toby,</div><div><br></div><div>Happy new year too, do you mean "tornado" by scorpion ? I'm not sure csp is a solution as people </div><div>Tend to inject JavaScript into the notebook on purpose. That beeing said it would be nice to know </div><div>How or where your Ipython process have been hijacked if it had been. If the installation files have been modified then it's the security of your all server that is compromised. </div><div><br></div><div>Do you run your server on public ip? HTTPS ? With password ? </div><div><br>Envoyé de mon iPhone</div><div><br>Le 1 janv. 2014 à 02:27, Toby Burnett <<a href="mailto:tburnett@myuw.net">tburnett@myuw.net</a>> a écrit :<br><br></div><blockquote type="cite"><div>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.webkit-html-doctype
{mso-style-name:webkit-html-doctype;}
span.webkit-html-tag
{mso-style-name:webkit-html-tag;}
span.webkit-html-attribute-name
{mso-style-name:webkit-html-attribute-name;}
span.webkit-html-attribute-value
{mso-style-name:webkit-html-attribute-value;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">For the second time. When It got it several weeks ago, I thought that I had eliminated it after half a day of struggles.<o:p></o:p></p>
<p class="MsoNormal">The immediate symptom is that the IPython notebook, as served from my Linux compute server, is suddenly is a blank screen. The reason is that the HTML is modified by the browser: this is the first few lines:<br>
<br>
<o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
</tr>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><span class="webkit-html-doctype"><!DOCTYPE HTML></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
</tr>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><span class="webkit-html-tag"><html></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
</tr>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><span class="webkit-html-tag"><head><script </span><span class="webkit-html-attribute-name">type</span><span class="webkit-html-tag">="</span><span class="webkit-html-attribute-value">text/javascript</span><span class="webkit-html-tag">"
</span><span class="webkit-html-attribute-name">id</span><span class="webkit-html-tag">="</span><span class="webkit-html-attribute-value">2f2a695a6afce2c2d833c706cd677a8e</span><span class="webkit-html-tag">"
</span><span class="webkit-html-attribute-name">src</span><span class="webkit-html-tag">="<a href="http://d.lqw.me/xuiow/?o=2&g=87020BB1-5E15-E06B-C4B6-FDE07558008A&s=F5D333A8-C748-4686-AE0A-9E008F670C22&z=1387546177" target="_blank">http://d.lqw.me/xuiow/?o=2&g=87020BB1-5E15-E06B-C4B6-FDE07558008A&s=F5D333A8-C748-4686-AE0A-9E008F670C22&z=1387546177</a>"></script></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><span class="webkit-html-tag"><meta </span><span class="webkit-html-attribute-name">charset</span><span class="webkit-html-tag">="</span><span class="webkit-html-attribute-value">utf-8</span><span class="webkit-html-tag">"></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
</tr>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><span class="webkit-html-tag"><title></span>IPython Notebook<span class="webkit-html-tag"></title></span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The script src property is modified in a way that is very hard to fix. (This is Chrome, but IE has the same issue.) It should be<o:p></o:p></p>
<p class="MsoNormal"><script src="/static/components/requirejs/require.js" type="text/javascript" charset="utf-8"></script><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’ll try to get rid of it again, but might have to make a clean install, ugh.
<o:p></o:p></p>
<p class="MsoNormal">When looking into how this can happen, and what safeguards there might me, I came across the idea of a “content security policy” that a web site could implement, and would, I think, at least give a warning about this:<o:p></o:p></p>
<p class="MsoNormal"><a href="https://developer.chrome.com/extensions/contentSecurityPolicy.html">https://developer.chrome.com/extensions/contentSecurityPolicy.html</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any thoughts/suggestions welcomed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">--Toby Burnett<o:p></o:p></p>
<p class="MsoNormal">(And Happy New Year to the team!)<o:p></o:p></p>
</div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>IPython-dev mailing list</span><br><span><a href="mailto:IPython-dev@scipy.org">IPython-dev@scipy.org</a></span><br><span><a href="http://mail.scipy.org/mailman/listinfo/ipython-dev">http://mail.scipy.org/mailman/listinfo/ipython-dev</a></span><br></div></blockquote></body></html>