Tue Dec 18 14:15:34 CST 2012
Le 18 déc. 2012 à 19:57, Nissim Karpenstein a écrit :
> Can you please elaborate further on the potential security risks.
No code cell are no executed, put if the output contain a <script> tag...
To protect that, we'll probably prevent JS in output by stripping it.
Obviously a Js cell would be able to go around that by manipulating the notebook structure itself.
and where a server side kernel can "easily" be isolated, it is much harder to do on browser side.
In a context where user might be logged in to a service that provide an IPython notebook, and other service,
this is dangerous.
I'm not an expert on Javscript and security, but we warned not so long ago someone who was using IPython
notebook that they had a security breach after adding a tiny feature that seemed irrelevant. So I'm a little cautious
This is the reason why we are moving toward json plugin. The server owner could chose that some services
are available to user. You could of course build a service that allows to execute custom Javascipt.
I totally agree that user should be responsible for what thy execute, but if we build that we totally need parental control
I still think that having the ability to execute js in notebook is something really worth considering at least as an advance feature
or a plugin.
> Have you seen jsFiddle? My suggestion is sort of a mashup of iPython notebook and jsFiddle.
> On Tue, Dec 18, 2012 at 1:40 PM, Matthias BUSSONNIER <firstname.lastname@example.org> wrote:
> Hi again,
> I'll moderate what I said an hour ago,
> I might see one way to maybe do something close to what you wish,
> It might not be strait forward, and I will thing about it.
> It might be incorporated in the JS widget we planed on implementing, I'll discusses of that with Brian
> to better now what his plans are.
> In any way it will probably change the notebook format introducing incompatibilities with older one, so
> we will think about it a lot before releasing it.
> We would still be happy to see what a prototype does, maybe you'll find how to do that in a way that
> Le 18 déc. 2012 à 14:02, Nissim Karpenstein a écrit :
> > Hi,
> > 1) ability to change a code cell language to javascipt in the notebook frontend. I saw that there is a language field in the notebook file format for CodeCell but it is always = python.
> > 3) http REST api that will return json representations of Python objects that exist in the kernel. (this may already exist, I don't really understand the kernel communication protocol yet).
> > There are probably some more things like the ability to add CSS, HTML, js and image resources to the server that it can then serve back to the client. I see that there's been a lot of discussion related to this in the plugins thread, but maybe there can also be a method for accessing resources from the network and then telling the notebook server to serve them from some path.
> > I'd like to implement this and I had a couple of questions:
> > 1) Does this fit in with your ideas for the notebook or is editing non python code in CodeCell outside of the vision?
> > Thanks
> > -Nissim
> > _______________________________________________
> > IPython-dev mailing list
> > IPythonemail@example.com
> > http://mail.scipy.org/mailman/listinfo/ipython-dev
> IPython-dev mailing list
> IPython-dev mailing list
More information about the IPython-dev