[IPython-dev] "Freezing" dynamic content with nbconvert, was ANN: Exhibitionist
Thu Mar 7 11:39:45 CST 2013
Le 7 mars 2013 à 17:48, yoval p. a écrit :
> I've been giving matthias's comment some thought re nbviewer support
> due to security-concerns.
> Here is a solution to both issues that I'd like to suggest:
> There's a need to separate static HTML from HTML bearing
> My suggestion is that the display protocol be modified so that the semantics of
> `_repr_html_` would mean static HTML only, and a new `_repr_jshtml_` (however named)
> magic method would be supported, under which objects would implement
> dynamic views.
> This provides the following benefits:
> - Objects can provide HTML representation of themselves suiting
> the environment they are in. It's the front end that chooses the
> representation it supports. So there will be no further need to sniff
> qtconsole vs. IPNB via `get_ipython().config`.
> In particular, nbviewer could leverage this to allow even dynamic views
> to gracefully degrading in order to cooperate.
> - For security reasons, the use of '_repr_jshtml_' view by IPYthon would be behind
> an opt-in mechanism, and the static `_repr_html_` would be sanitized/sandboxed.
> The IPython.core.display functions could be extended accordingly to
> obey the currently active security policy.
We are also certain that we can have a more general approach.
(Keep in mind that, thinking of the display protocol as only html/js notebook/qtconsole is also much too restrictive)
In short, we believe using _display_json_ is the right way and is enough.
Most of the time, when you display js, the only thing you want to send are data that need to be interpreted.
This allow also to depend on other installed plugin without having to embed lib like jQuery etc at every call.
In framework like chromium embeded, you cannot in any way execute code that are in script tag. The js
**have to** be part of the application at launch time.
it will just not be supported.
As for nbviewer, if there is a _repr_json_ , nothing prevent it from using it in html to have dynamic represent,
but the same json could be use to make a Tikz representation in latex, or even multiple plugin could be able to interpret the same json.
So after long repletion, I am convince that json-repr is the way to go.
We'll still consider the suggestion of course, and discussion are welcomed.
> Matthias BUSSONNIER write:
> > Hi y-p !
> > Look really nice !
> > Did not have time to look into the source right now, but I'll definitively will.
> > Do you think the data exchanged with the kernel in some cases could be store either in the metadata of cells,
> > or in the Json representation of displayed object ?
> > If we do this and by carefully crafting the "js plugin" they could be loaded by nbviewer and read sone data in the dom injected.
> > Which would allow a limited interactivity on nbviewer.
> > If you do , this can be problematic in the future.
> > --
> > Matthias
> IPython-dev mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the IPython-dev