[IPython-dev] Loading nbextension on widget instantiation

Brian Granger ellisonbg at gmail.com
Mon Jun 23 17:26:40 EDT 2014 

Yes, I think there is more. For *today* I think it is fine treating
widgets like any other unsafe output.

In the future, I don't think that is entirely possible. The reason is
that regular output doesn't need to touch page globals, such as the
widget manager, but widget code does. In the future, we will likely
have more locked down security settings in some contexts:

* Google Drive
* Variations of multiuser notebooks - our own, Wakari, etc.

In these contexts, all output will need to be in iframes. Putting
widgets in iframes will be difficult, but likely necessary as well.
But, because widgets have to talk to the page global widget manager,
we will have to do some serious iframe messaging craziness for widgets
to talk to the global page. The core security problem related to the
current discussion is that the widget definitions have to be loaded
into the iframes *and* likely the global page. This is needed because
all of the calls to register_widget happen on the global page. This
puts us into a really difficult situation:

* Widget JavaScript code could be hostile
* Widget JavaScript code needs to be loaded onto the global page

These two requirements conflict and we don't (as far as I know) have a
way of getting around it. Until we have a security model that solves
these issues and can be deployed in high security contexts, I think we
have to be very careful about adding new ways of loaded widget related
code onto the page.

The proposed changes fall into this category as they allow arbitrary
python code to give a string that contains the location of a
JavaScript file that require will automatically load and run in the
global scope. That can't be protected by iframes as we currently
understand everything.



On Mon, Jun 23, 2014 at 2:05 PM, Thomas Kluyver <takowl at gmail.com> wrote:
> On 23 June 2014 13:23, Brian Granger <ellisonbg at gmail.com> wrote:
>>
>> I think we need to talk about the security aspects of this. Adding to
>> our dev meeting agenda for the week.
>
>
> In discussions with people, we've said that widgets should simply be treated
> as unsafe output, the same way as any other HTML/JS output. So if you load
> an untrusted notebook, you won't see widgets until you run it. Do you think
> there are more subtleties?
>
> Thomas
>
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>



-- 
Brian E. Granger
Cal Poly State University, San Luis Obispo
@ellisonbg on Twitter and GitHub
bgranger at calpoly.edu and ellisonbg at gmail.com

More information about the IPython-dev mailing list