[IPython-dev] Notebook CodeCell for editing and executing javascript

Matthias Bussonnier bussonniermatthias@gmail....
Mon Dec 31 11:43:41 CST 2012


Short from my phone.

Problem is not executing js in itself.
Problem is executed js could execute python on kernel side.

So we need to prevent inlined js in cell output as notebook store cell
output that woul be executed at load time.

Stripping js from cell output render the ability to display js useless.

Also I suppose everybody trust its own js. But you can't always trust files
you receive from others.

Finally json plugin can be use to developp a plugin that allow to execute
arbitrary JS. It will just not be supported by the core team.
-- 
Matthias
Le 31 déc. 2012 18:02, "Nissim Karpenstein" <nissimk@gmail.com> a écrit :

> Syntax highlight changing for the %%language cells sounds closer to what I
> was thinking of.
>
> Can you guys explain to me the security concerns?  There are several
> JS+CSS+HTML web based editors which execute your code in your browser, like
> JSFiddle and JSBin.  http://jsfiddle.net and http://jsbin.com .  Wouldn't
> allowing arbitrary users to execute python code on your server be much more
> of a security risk than allowing arbitrary javascript code to run in the
> browser?  Doesn't the browser provide some security by segmenting resources
> by origin so any javascript code executed by the notebook will not be able
> to access resources stored by other sites?  I suppose javascript in the
> notebook could be used to crash the browser, or to make the browser send
> too many requests to some server, but could it really access user's data?
>  Do you mean something else by your security concerns?  Is the notebook
> storing sensitive data in the browser's local storage or cookies?
>
> I did find this thing, but it really sounds like overkill to me for a
> programmer's tool: https://developers.google.com/caja/docs/about/
>
>
>
>
> On Mon, Dec 31, 2012 at 11:17 AM, Jason Grout <jason-sage@creativetrax.com
> > wrote:
>
>> On 12/29/12 11:29 AM, Brian Granger wrote:
>> > We don't want to allow notebooks that mix different languages at the
>> > CodeCell level.
>>
>> Of course, cell magics alleviate this restriction, as we can right now
>> do %%r, %%cython, etc., to effectively get different languages in
>> different cells.
>>
>> I don't see why we can't have a %%javascript that then just echoes the
>> javascript back to the browser to execute.  What would be cool is for
>> the syntax highlighting to also change if the cell detects that it is a
>> %%r cell, etc.
>>
>> Thanks,
>>
>> Jason
>>
>> _______________________________________________
>> IPython-dev mailing list
>> IPython-dev@scipy.org
>> http://mail.scipy.org/mailman/listinfo/ipython-dev
>>
>
>
> _______________________________________________
> IPython-dev mailing list
> IPython-dev@scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.scipy.org/pipermail/ipython-dev/attachments/20121231/e8c367a4/attachment-0001.html 


More information about the IPython-dev mailing list