[IPython-dev] Storing signatures outside the notebook
Thomas Kluyver
takowl at gmail.com
Wed Dec 17 00:39:23 EST 2014
On 16 December 2014 at 16:14, Ondřej Čertík <ondrej.certik at gmail.com> wrote:
> What is the point of the signature in the first place? Is it just to
> verify that the .ipynb file is consistent, i.e. no accidental changes?
> I just use git for that.
>
Notebooks can contain rich output, including HTML and Javascript. But if
you open a notebook in a running notebook server, the Javascript is able to
send arbitrary code to your kernel for execution. We don't think users
should have to assume that opening a document means allowing it to
immediately run invisible code, so we sanitise the HTML outputs to exclude
anything that could cause code to be executed. But that will break some
outputs that depend on Javascript (e.g. d3 plots). Signatures are a
compromise to deal with this: once you've run the entire notebook, all the
output has come from cells you've run (and had a chance to inspect first),
so we mark it as trusted. When you open a trusted notebook, the output is
not sanitised, so stored Javascript can run.
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20141216/441c4c7f/attachment.html>
More information about the IPython-dev
mailing list