[IPython-dev] Url route to download a notebook and open it
Kyle Kelley
rgbkrk at gmail.com
Mon Aug 18 01:09:12 EDT 2014
Going after the security issue, the nice thing is that we're now signing
the notebooks. No javascript from a notebook would be run. iframe embedding
is now blocked by the X-Frame-Options header as well.
With the notebook prior to v2, as an attacker I would create a site that
opens an iframe to a download route (or provides a link) to a malicious
notebook (hosted on one of the whitelisted domains, like
githubusercontent.com).
That's not to say that there wouldn't be a hole elsewhere with a download
route. The thing about making an explicit action on the user's part is to
make this avenue for attack less easy.
On Thu, Aug 7, 2014 at 10:24 AM, Paddy Mullen <paddy at paddymullen.com> wrote:
> It would be useful to have an url route that downloaded a notebook and
> opened it.
>
> I could see a route like http://localhost:8888/download/
> https://raw.githubusercontent.com/ipython/ipython/master/examples/Notebook/SymPy.ipynb
>
> that would download the SymPy notebook and open it.
>
> This would make it easy to link to generated notebooks. The alternative
> workflow now is to provide a download link, and have the user drag that
> file into the notebook filebrowser.
>
> I realize that this would be a security risk, so it would probably be a
> feature that was best disabled by default. A configurable whitelist of
> allowable download domains could help a lot.
>
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
>
--
Kyle Kelley (@rgbkrk <https://twitter.com/rgbkrk>; http://lambdaops.com)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140818/65bb6ab3/attachment.html>
More information about the IPython-dev
mailing list