[IPython-dev] Url route to download a notebook and open it

Kyle Kelley rgbkrk at gmail.com
Mon Aug 18 01:09:12 EDT 2014

Going after the security issue, the nice thing is that we're now signing
the notebooks. No javascript from a notebook would be run. iframe embedding
is now blocked by the X-Frame-Options header as well.

With the notebook prior to v2, as an attacker I would create a site that
opens an iframe to a download route (or provides a link) to a malicious
notebook (hosted on one of the whitelisted domains, like

That's not to say that there wouldn't be a hole elsewhere with a download
route. The thing about making an explicit action on the user's part is to
make this avenue for attack less easy.

On Thu, Aug 7, 2014 at 10:24 AM, Paddy Mullen <paddy at paddymullen.com> wrote:

> It would be useful to have an url route that downloaded a notebook and
> opened it.
> I could see a route like http://localhost:8888/download/
> https://raw.githubusercontent.com/ipython/ipython/master/examples/Notebook/SymPy.ipynb
> that would download the SymPy notebook and open it.
> This would make it easy to link to generated notebooks.  The alternative
> workflow now is to provide a download link, and have the user drag that
> file into the notebook filebrowser.
> I realize that this would be a security risk, so it would probably be a
> feature that was best disabled by default.  A configurable whitelist of
> allowable download domains could help a lot.
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev

Kyle Kelley (@rgbkrk <https://twitter.com/rgbkrk>; http://lambdaops.com)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140818/65bb6ab3/attachment.html>

More information about the IPython-dev mailing list