Mon Dec 31 11:43:41 CST 2012
Short from my phone.
Problem is not executing js in itself.
Problem is executed js could execute python on kernel side.
So we need to prevent inlined js in cell output as notebook store cell
output that woul be executed at load time.
Stripping js from cell output render the ability to display js useless.
Also I suppose everybody trust its own js. But you can't always trust files
you receive from others.
Finally json plugin can be use to developp a plugin that allow to execute
arbitrary JS. It will just not be supported by the core team.
Le 31 déc. 2012 18:02, "Nissim Karpenstein" <firstname.lastname@example.org> a écrit :
> Syntax highlight changing for the %%language cells sounds closer to what I
> was thinking of.
> Can you guys explain to me the security concerns? There are several
> JS+CSS+HTML web based editors which execute your code in your browser, like
> JSFiddle and JSBin. http://jsfiddle.net and http://jsbin.com . Wouldn't
> allowing arbitrary users to execute python code on your server be much more
> browser? Doesn't the browser provide some security by segmenting resources
> notebook could be used to crash the browser, or to make the browser send
> too many requests to some server, but could it really access user's data?
> Do you mean something else by your security concerns? Is the notebook
> storing sensitive data in the browser's local storage or cookies?
> I did find this thing, but it really sounds like overkill to me for a
> programmer's tool: https://developers.google.com/caja/docs/about/
> On Mon, Dec 31, 2012 at 11:17 AM, Jason Grout <email@example.com
> > wrote:
>> On 12/29/12 11:29 AM, Brian Granger wrote:
>> > We don't want to allow notebooks that mix different languages at the
>> > CodeCell level.
>> Of course, cell magics alleviate this restriction, as we can right now
>> do %%r, %%cython, etc., to effectively get different languages in
>> different cells.
>> the syntax highlighting to also change if the cell detects that it is a
>> %%r cell, etc.
>> IPython-dev mailing list
> IPython-dev mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the IPython-dev