[IPython-dev] IPEP 3: Multiuser support in the notebook
Carl Smith
carl.input at gmail.com
Sun Sep 9 08:33:34 EDT 2012
I'd totally misunderstood the problem. That's all pretty scary. Thanks for
putting me straight.
On Sep 9, 2012 10:57 AM, "Matthias BUSSONNIER" <bussonniermatthias at gmail.com>
wrote:
>
> Le 8 sept. 2012 à 23:09, Carl Smith a écrit :
>
> > I'm not sure, but I don't think you can do cross-scripting in Chrome.
> Maybe other browsers will make this concern mute too. I'm not certain, but
> that's what I thought. I'm on my phone so I can't do much to look into it
> right now.
>
> Well, If I understand XSS it is pretty trivial to do with python notebook
> as we allow to embed script in .ipynb files.
> They might not be executable but a simple notebook with in a markdown cell
> :
>
> <a href='onclick=function(){alert('hello')}'> click me </a> should work.
> moreover you can embed iframes, ...Etc.
>
> So could forge a malicious ipynb file and ask you to view it through
> nbviewer.ipython.org.
>
> assuming you are logged to nbviewer.ipython.org, the scripts in this
> notebook has all your rights.
>
> For me, this is XSS.
>
> I won't imagine what people would try to do if you know that JS can send
> code to execute on the server side !
> --
> Matthias
>
>
> >
> > _______________________________________________
> > IPython-dev mailing list
> > IPython-dev at scipy.org
> > http://mail.scipy.org/mailman/listinfo/ipython-dev
>
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20120909/3d3cef49/attachment.html>
More information about the IPython-dev
mailing list