[IPython-dev] IPEP 3: Multiuser support in the notebook
Matthias BUSSONNIER
bussonniermatthias at gmail.com
Sun Sep 9 08:44:10 EDT 2012
Le 9 sept. 2012 à 14:33, Carl Smith a écrit :
> I'd totally misunderstood the problem. That's all pretty scary. Thanks for putting me straight.
Don't worry, I'm discovering it too, actually I discovered it when making a prototype a live collaboration.
I was like "oh my god, I can do anything I want in my chrome browser from safari...
F*** this means so else could do that too, without me knowing"
This concern me a little more for nbviewer which is meant for sharing notebook, and for which we would like to add user login, but we would be really vulnerable.
--
Matthias
>
> On Sep 9, 2012 10:57 AM, "Matthias BUSSONNIER" <bussonniermatthias at gmail.com> wrote:
>
> Le 8 sept. 2012 à 23:09, Carl Smith a écrit :
>
> > I'm not sure, but I don't think you can do cross-scripting in Chrome. Maybe other browsers will make this concern mute too. I'm not certain, but that's what I thought. I'm on my phone so I can't do much to look into it right now.
>
> Well, If I understand XSS it is pretty trivial to do with python notebook as we allow to embed script in .ipynb files.
> They might not be executable but a simple notebook with in a markdown cell :
>
> <a href='onclick=function(){alert('hello')}'> click me </a> should work.
> moreover you can embed iframes, ...Etc.
>
> So could forge a malicious ipynb file and ask you to view it through nbviewer.ipython.org.
>
> assuming you are logged to nbviewer.ipython.org, the scripts in this notebook has all your rights.
>
> For me, this is XSS.
>
> I won't imagine what people would try to do if you know that JS can send code to execute on the server side !
> --
> Matthias
>
>
> >
> > _______________________________________________
> > IPython-dev mailing list
> > IPython-dev at scipy.org
> > http://mail.scipy.org/mailman/listinfo/ipython-dev
>
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
More information about the IPython-dev
mailing list