From 107a89fce5f413fb5728c1c5d2c7788e1fb17491 Mon Sep 17 00:00:00 2001
From: Thomas Kluyver <thomas@kluyver.me.uk>
Date: Mon, 22 Oct 2018 14:52:36 +0100
Subject: [PATCH] Apply CSP sandboxing for nbconvert responses

These may contain untrusted content, so they should be treated as being
from a different domain to the notebook server.
---
 notebook/nbconvert/handlers.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/notebook/nbconvert/handlers.py b/notebook/nbconvert/handlers.py
index bb26664aa..bf0a4bfba 100644
--- a/notebook/nbconvert/handlers.py
+++ b/notebook/nbconvert/handlers.py
@@ -78,6 +78,13 @@ class NbconvertFileHandler(IPythonHandler):
 
     SUPPORTED_METHODS = ('GET',)
 
+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(NbconvertFileHandler, self).content_security_policy + \
+               "; sandbox allow-scripts"
+
     @web.authenticated
     def get(self, format, path):
 
@@ -145,6 +152,13 @@ class NbconvertFileHandler(IPythonHandler):
 class NbconvertPostHandler(IPythonHandler):
     SUPPORTED_METHODS = ('POST',)
 
+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(NbconvertPostHandler, self).content_security_policy + \
+               "; sandbox allow-scripts"
+
     @web.authenticated
     def post(self, format):
         exporter = get_exporter(format, config=self.config)