[IPython-dev] Scipy central & IPython notebook.

Jason Grout jason-sage@creativetrax....
Mon Sep 24 14:31:01 CDT 2012


On 9/24/12 2:19 PM, Brian Granger wrote:
>> Certainly not as is !
>> >Nbviewer embed remote javascript which would be high security risk for any website
>> >or user that **trust** ipython.org
> I am beginning to think we should remove <script> tags from markdown
> cells because of this.
>

Don't serve user-generated content from ipython.org.  Serve 
user-generated content from something like pylab-central.org or 
something.  Some time ago, someone (William Stein maybe?) forwarded to 
me a talk from someone at google which said something to the effect that 
taking care of all the vulnerabilities is *hard*, and google finally 
just decided to serve any untrusted content from a different domain. 
(yeah, I know---that chain of hearsay is not extremely inspiring...). 
I'm CCing William in hopes that maybe he was the one that forwarded the 
story and can find it (I've looked but can't find it).

But the end result was---don't server untrusted material from a trusted 
domain.

That said, I guess we're breaking that rule with interact.sagemath.org 
(Sage's answer to something like scipy central, at least for small 
snippets).

Thanks,

Jason



More information about the IPython-dev mailing list