[IPython-dev] Scipy central & IPython notebook.

Matthias BUSSONNIER bussonniermatthias at gmail.com
Mon Sep 24 15:55:33 EDT 2012

Le 24 sept. 2012 à 21:31, Jason Grout a écrit :

> On 9/24/12 2:19 PM, Brian Granger wrote:
>>> Certainly not as is !
>>>> Nbviewer embed remote javascript which would be high security risk for any website
>>>> or user that **trust** ipython.org
>> I am beginning to think we should remove <script> tags from markdown
>> cells because of this.
> Don't serve user-generated content from ipython.org.  Serve 
> user-generated content from something like pylab-central.org or 
> something.  Some time ago, someone (William Stein maybe?) forwarded to 
> me a talk from someone at google which said something to the effect that 
> taking care of all the vulnerabilities is *hard*, and google finally 
> just decided to serve any untrusted content from a different domain. 
> (yeah, I know---that chain of hearsay is not extremely inspiring...). 
> I'm CCing William in hopes that maybe he was the one that forwarded the 
> story and can find it (I've looked but can't find it).
> But the end result was---don't server untrusted material from a trusted 
> domain.

I don't quite see how we could do that as ipynb is transformed to html/css/javascript on the server side, 
and we would like to allow some kind of integration with github like possibility for users to post comment directly from nbviewer.
But i'm not an expert on web technologies, and i'm sure this problem has been encounters elsewhere and has a solution. 

Obviously with the nbviewer, we can restrict javascript execution, but this is more an issue with notebook collaboration where user will expect to be able to publish javascript.
I think html5 sandbox could be a solution, but I haven't  found any good resources to clearly understand what could be done.

Still, thanks for the suggestion, i'll see what i can do with difference domains.

More information about the IPython-dev mailing list