[IPython-dev] Scipy central & IPython notebook.

Brian Granger ellisonbg at gmail.com
Mon Sep 24 17:11:12 EDT 2012

On Mon, Sep 24, 2012 at 12:31 PM, Jason Grout
<jason-sage at creativetrax.com> wrote:
> On 9/24/12 2:19 PM, Brian Granger wrote:
>>> Certainly not as is !
>>> >Nbviewer embed remote javascript which would be high security risk for any website
>>> >or user that **trust** ipython.org
>> I am beginning to think we should remove <script> tags from markdown
>> cells because of this.
> Don't serve user-generated content from ipython.org.  Serve
> user-generated content from something like pylab-central.org or
> something.  Some time ago, someone (William Stein maybe?) forwarded to
> me a talk from someone at google which said something to the effect that
> taking care of all the vulnerabilities is *hard*, and google finally
> just decided to serve any untrusted content from a different domain.
> (yeah, I know---that chain of hearsay is not extremely inspiring...).
> I'm CCing William in hopes that maybe he was the one that forwarded the
> story and can find it (I've looked but can't find it).

For us it is not as simple as using a different domain because of the
way we load and run javascript code.  In short we:

* Get the JS code embedded in a string inside a JSON message.
* We unpack it and then eval it in the context of the cells output area.

The domain tricks don't work in a setting like this.

> But the end result was---don't server untrusted material from a trusted
> domain.
> That said, I guess we're breaking that rule with interact.sagemath.org
> (Sage's answer to something like scipy central, at least for small
> snippets).
> Thanks,
> Jason
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev

Brian E. Granger
Cal Poly State University, San Luis Obispo
bgranger at calpoly.edu and ellisonbg at gmail.com

More information about the IPython-dev mailing list