[IPython-dev] Url route to download a notebook and open it
rgbkrk at gmail.com
Mon Aug 18 01:09:12 EDT 2014
Going after the security issue, the nice thing is that we're now signing
is now blocked by the X-Frame-Options header as well.
With the notebook prior to v2, as an attacker I would create a site that
opens an iframe to a download route (or provides a link) to a malicious
notebook (hosted on one of the whitelisted domains, like
That's not to say that there wouldn't be a hole elsewhere with a download
route. The thing about making an explicit action on the user's part is to
make this avenue for attack less easy.
On Thu, Aug 7, 2014 at 10:24 AM, Paddy Mullen <paddy at paddymullen.com> wrote:
> It would be useful to have an url route that downloaded a notebook and
> opened it.
> I could see a route like http://localhost:8888/download/
> that would download the SymPy notebook and open it.
> This would make it easy to link to generated notebooks. The alternative
> workflow now is to provide a download link, and have the user drag that
> file into the notebook filebrowser.
> I realize that this would be a security risk, so it would probably be a
> feature that was best disabled by default. A configurable whitelist of
> allowable download domains could help a lot.
> IPython-dev mailing list
> IPython-dev at scipy.org
Kyle Kelley (@rgbkrk <https://twitter.com/rgbkrk>; http://lambdaops.com)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the IPython-dev