mirror/notebook
2
0
Fork 0
mirror of https://github.com/jupyter/notebook.git synced 2025-01-24 12:05:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

Apply CSP sandboxing for nbconvert responses

Browse Source 
These may contain untrusted content, so they should be treated as being
from a different domain to the notebook server.
This commit is contained in:
Thomas Kluyver 2018-10-22 14:52:36 +01:00
parent 04a686dbaf
commit 107a89fce5
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
notebook/nbconvert/handlers.py
View File

@ -78,6 +78,13 @@ class NbconvertFileHandler(IPythonHandler):
SUPPORTED_METHODS = ('GET',)
@property
def content_security_policy(self):
# In case we're serving HTML/SVG, confine any Javascript to a unique
# origin so it can't interact with the notebook server.
return super(NbconvertFileHandler, self).content_security_policy + \
"; sandbox allow-scripts"
@web.authenticated
def get(self, format, path):
@ -145,6 +152,13 @@ class NbconvertFileHandler(IPythonHandler):
class NbconvertPostHandler(IPythonHandler):
SUPPORTED_METHODS = ('POST',)
@property
def content_security_policy(self):
# In case we're serving HTML/SVG, confine any Javascript to a unique
# origin so it can't interact with the notebook server.
return super(NbconvertPostHandler, self).content_security_policy + \
"; sandbox allow-scripts"
@web.authenticated
def post(self, format):
exporter = get_exporter(format, config=self.config)