[IPython-dev] IPEP 3: Multiuser support in the notebook

Matthias BUSSONNIER bussonniermatthias@gmail....
Sun Sep 9 07:44:10 CDT 2012


Le 9 sept. 2012 à 14:33, Carl Smith a écrit :

> I'd totally misunderstood the problem. That's all pretty scary. Thanks for putting me straight.

Don't worry, I'm discovering it too, actually I discovered it when making a prototype a live collaboration. 
I was like "oh my god, I can do anything I want in my chrome browser from safari... 
F*** this means so else could do that too, without me knowing"

This concern me a little more for nbviewer which is meant for sharing notebook, and for which we would like to add user login, but we would be really vulnerable. 
-- 
Matthias

> 
> On Sep 9, 2012 10:57 AM, "Matthias BUSSONNIER" <bussonniermatthias@gmail.com> wrote:
> 
> Le 8 sept. 2012 à 23:09, Carl Smith a écrit :
> 
> > I'm not sure, but I don't think you can do cross-scripting in Chrome. Maybe other browsers will make this concern mute too. I'm not certain, but that's what I thought. I'm on my phone so I can't do much to look into it right now.
> 
> Well, If I understand XSS it is pretty trivial to do with python notebook as we allow to embed script in .ipynb files.
> They might not be executable but a simple notebook with in a markdown cell :
> 
> <a href='onclick=function(){alert('hello')}'> click me </a> should work.
> moreover you can embed iframes, ...Etc.
> 
> So could forge a malicious ipynb file and ask you to view it through nbviewer.ipython.org.
> 
> assuming you are logged to nbviewer.ipython.org, the scripts in this notebook has all your rights.
> 
> For me, this is XSS.
> 
> I won't imagine what people would try to do if you know that JS can send code to execute on the server side !
> --
> Matthias
> 
> 
> >
> > _______________________________________________
> > IPython-dev mailing list
> > IPython-dev@scipy.org
> > http://mail.scipy.org/mailman/listinfo/ipython-dev
> 
> _______________________________________________
> IPython-dev mailing list
> IPython-dev@scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
> _______________________________________________
> IPython-dev mailing list
> IPython-dev@scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev



More information about the IPython-dev mailing list