[IPython-dev] Scipy central & IPython notebook.

Brian Granger ellisonbg@gmail....
Mon Sep 24 16:22:27 CDT 2012


On Mon, Sep 24, 2012 at 2:20 PM, Matthias BUSSONNIER
<bussonniermatthias@gmail.com> wrote:
>
> Le 24 sept. 2012 à 23:11, Brian Granger a écrit :
>
>> On Mon, Sep 24, 2012 at 12:31 PM, Jason Grout
>> <jason-sage@creativetrax.com> wrote:
>>> On 9/24/12 2:19 PM, Brian Granger wrote:
>>>>> Certainly not as is !
>>>>>> Nbviewer embed remote javascript which would be high security risk for any website
>>>>>> or user that **trust** ipython.org
>>>> I am beginning to think we should remove <script> tags from markdown
>>>> cells because of this.
>>>>
>>>
>>> Don't serve user-generated content from ipython.org.  Serve
>>> user-generated content from something like pylab-central.org or
>>> something.  Some time ago, someone (William Stein maybe?) forwarded to
>>> me a talk from someone at google which said something to the effect that
>>> taking care of all the vulnerabilities is *hard*, and google finally
>>> just decided to serve any untrusted content from a different domain.
>>> (yeah, I know---that chain of hearsay is not extremely inspiring...).
>>> I'm CCing William in hopes that maybe he was the one that forwarded the
>>> story and can find it (I've looked but can't find it).
>>
>> For us it is not as simple as using a different domain because of the
>> way we load and run javascript code.  In short we:
>>
>> * Get the JS code embedded in a string inside a JSON message.
>> * We unpack it and then eval it in the context of the cells output area.
>
> For notebook, yes, not for nbviewer.
> Displayed js is not evaluated in nbviewer, only script tags.
>
> Even displayed js is not evaluated when loading notebooks.

Right, thanks for the clarification.

Cheers,

Brian

> --
> Matthias
> _______________________________________________
> IPython-dev mailing list
> IPython-dev@scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev



-- 
Brian E. Granger
Cal Poly State University, San Luis Obispo
bgranger@calpoly.edu and ellisonbg@gmail.com


More information about the IPython-dev mailing list