[IPython-dev] Scipy central & IPython notebook.
Jason Grout
jason-sage at creativetrax.com
Mon Sep 24 15:31:01 EDT 2012
On 9/24/12 2:19 PM, Brian Granger wrote:
>> Certainly not as is !
>> >Nbviewer embed remote javascript which would be high security risk for any website
>> >or user that **trust** ipython.org
> I am beginning to think we should remove <script> tags from markdown
> cells because of this.
>
Don't serve user-generated content from ipython.org. Serve
user-generated content from something like pylab-central.org or
something. Some time ago, someone (William Stein maybe?) forwarded to
me a talk from someone at google which said something to the effect that
taking care of all the vulnerabilities is *hard*, and google finally
just decided to serve any untrusted content from a different domain.
(yeah, I know---that chain of hearsay is not extremely inspiring...).
I'm CCing William in hopes that maybe he was the one that forwarded the
story and can find it (I've looked but can't find it).
But the end result was---don't server untrusted material from a trusted
domain.
That said, I guess we're breaking that rule with interact.sagemath.org
(Sage's answer to something like scipy central, at least for small
snippets).
Thanks,
Jason
More information about the IPython-dev
mailing list