[IPython-dev] Insecure loading of mathjax

Kyle Kelley rgbkrk at gmail.com
Fri Aug 1 16:57:10 EDT 2014

Hey all,

As reported in https://github.com/ipython/ipython/issues/6246, MathJax will
load over HTTP if using the notebook with an unecncrypted connection (e.g. Someone with an appropriate network position (the
router at your local internet cafe for example) could modify the mathjax
javascript before it gets to you, adding their own javascript. This would
result in being able to run code on your IPython kernel with just a little
bit of javascript (`IPython.notebook.kernel.execute(code)`).

This issue was fixed in the git master branch (development branch for
upcoming v. 2.2) with commit cf793ebc4, on 7/31/2014:



* Run the notebook with SSL (see
This will load MathJax over SSL via the MathJax CDN.

* Install mathjax locally

    from IPython.external.mathjax import install_mathjax

We have requested a CVE for this via the oss-security mailing list.

Kyle Kelley (@rgbkrk; http://lambdaops.com)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140801/ee662e40/attachment.html>

More information about the IPython-dev mailing list