[IPython-dev] Insecure loading of mathjax

Julian Taylor jtaylor.debian at googlemail.com
Fri Aug 1 17:13:39 EDT 2014

On 01.08.2014 22:57, Kyle Kelley wrote:
> Hey all,
> As reported in https://github.com/ipython/ipython/issues/6246, MathJax
> will load over HTTP if using the notebook with an unecncrypted
> connection (e.g. Someone with an appropriate
> network position (the router at your local internet cafe for example)
> could modify the mathjax javascript before it gets to you, adding their
> own javascript. This would result in being able to run code on your
> IPython kernel with just a little bit of javascript
> (`IPython.notebook.kernel.execute(code)`).
> This issue was fixed in the git master branch (development branch for
> upcoming v. 2.2) with commit cf793ebc4, on 7/31/2014:
> https://github.com/ipython/ipython/commit/cf793ebc4f9e8483f104667e4c73748357fa8c56

Fwiw, I reported this already back in version 0.12 and the Debian
package has always been enforcing the local mathjax for that reason.

Is the mathjax cdn certificate still a shared between all users of
whatever hosting provide is behind is?
Back then this was the case for the https cdn mathjax used making it
quite pointless as any users of that hosting service (I think it was
amazon) could serve you a forged mathjax via valid https.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140801/e8a3a802/attachment.sig>

More information about the IPython-dev mailing list