[IPython-dev] IPEP 3: Multiuser support in the notebook

Matthias BUSSONNIER bussonniermatthias at gmail.com
Sun Sep 9 12:56:40 EDT 2012

Le 9 sept. 2012 à 18:19, Brian Granger a écrit :

> On Sun, Sep 9, 2012 at 2:57 AM, Matthias BUSSONNIER
> <bussonniermatthias at gmail.com> wrote:
>> Le 8 sept. 2012 à 23:09, Carl Smith a écrit :
>>> I'm not sure, but I don't think you can do cross-scripting in Chrome. Maybe other browsers will make this concern mute too. I'm not certain, but that's what I thought. I'm on my phone so I can't do much to look into it right now.
>> Well, If I understand XSS it is pretty trivial to do with python notebook as we allow to embed script in .ipynb files.
>> They might not be executable but a simple notebook with in a markdown cell :
>> <a href='onclick=function(){alert('hello')}'> click me </a> should work.
>> moreover you can embed iframes, ...Etc.
>> So could forge a malicious ipynb file and ask you to view it through nbviewer.ipython.org.
>> assuming you are logged to nbviewer.ipython.org, the scripts in this notebook has all your rights.
>> For me, this is XSS.
>> I won't imagine what people would try to do if you know that JS can send code to execute on the server side !
> I am not sure I am following the discussion here.  The IPython
> Notebook is designed to execute arbitrary python and javascript code.
> we don't view that as a security vulnerability - it is our central
> feature!  Is this what you are talking about or is there some other
> subtle aspect you are referring to?

I don't agree with : 
> The IPython Notebook is designed to execute arbitrary python and javascript code.

The user should be able to execute any python and javascript he wants. 
I don't want when loading a foreign notebook that some JS execute: "get cookie and send it to eve at hacked.me"
in multi-user environment, you have the user-context, and the notebook context. 
one supersede the other. 
I, from user-context, can interact with every notebook. 
Someone, from inside a notebook, should not be able to access user context. 

let's have a concrete example with nbviewer.
Which for the purpose of the example have log-in and ability for user to grant access to github, rw via OpenAuth, so that I can comment, edit from nbviewer, view their private notebooks... 

I can forge a notebook that on hover of the first cell send a bogus request to nbviewer, that look like user click asking a github to share your entire repos with me. I send it to you, and get access to the secret work you are doing with the DOD.

> One thing you might be talking about is the fact that <script> tags in
> markdown cells can be executed on page load without a user knowing
> about them.  The markdown renderer we are using has the ability to
> strip <script> tags.  We might want to do that so the only way that
> javascript code can be run is by the kernel running code that sends
> back dynamic javascript.  I am probably +0.5 on this idea currently.

Not only on load, but with live multi user on sync.
And it is not only the script tag, but js in href link. 
This also touch the output area that can have scripts in display_html.

Executing script on markdown is usefull as it is asynchrone. I had some good example of that during SciPy and enthough.
I would prefer sandboxing script execution.

More information about the IPython-dev mailing list