[IPython-dev] Insecure loading of mathjax
Julian Taylor
jtaylor.debian at googlemail.com
Fri Aug 1 17:13:39 EDT 2014
On 01.08.2014 22:57, Kyle Kelley wrote:
> Hey all,
>
> As reported in https://github.com/ipython/ipython/issues/6246, MathJax
> will load over HTTP if using the notebook with an unecncrypted
> connection (e.g. http://127.0.0.1:8888). Someone with an appropriate
> network position (the router at your local internet cafe for example)
> could modify the mathjax javascript before it gets to you, adding their
> own javascript. This would result in being able to run code on your
> IPython kernel with just a little bit of javascript
> (`IPython.notebook.kernel.execute(code)`).
>
> This issue was fixed in the git master branch (development branch for
> upcoming v. 2.2) with commit cf793ebc4, on 7/31/2014:
>
> https://github.com/ipython/ipython/commit/cf793ebc4f9e8483f104667e4c73748357fa8c56
>
Fwiw, I reported this already back in version 0.12 and the Debian
package has always been enforcing the local mathjax for that reason.
Is the mathjax cdn certificate still a shared between all users of
whatever hosting provide is behind is?
Back then this was the case for the https cdn mathjax used making it
quite pointless as any users of that hosting service (I think it was
amazon) could serve you a forged mathjax via valid https.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140801/e8a3a802/attachment.sig>
More information about the IPython-dev
mailing list