Replies: 2 comments
-
NbViewer does not run server kernels, it is "just" a rendering on the frontend (still open to javascript attacks). Datalayer is different as it provides the end-user the ability to run code with server kernels, having a larger surface to attacks. |
Beta Was this translation helpful? Give feedback.
0 replies
-
Pulling @pierrotsmnrd in this discussion based on the work he is doing with panel (as show in the example). |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
On #3, @hyamanieu raised the absence of javascript support in the outputs. That support is now enabled by default on all output, including the public notebook that can be browsed and executed by any anonymous user.
Example on https://datalayer.io/public/notebook/6555b1bf-e036-4728-903d-1bb9dca62582
This may raise security and trust concerns if the notebook contains unfriendly javascript code.
Looking at what Jupyter does with nbviewer, that same notebook rendered via https://nbviewer.org/gist/echarles/3cd62284c6acdb2a71bd3257260f51c4 executes the javascript by default.
As suggested by @hyamanieu on #3 (comment), Datalayer could add a switch that would allow//disallow the javascript code execution. For security reasons, the switch could be off by default, for user-friendliness, the switch could be on by-default.
cc/ @Carreau who may hopefully share more of his expertise and thoughts here.
Beta Was this translation helpful? Give feedback.
All reactions