-
Notifications
You must be signed in to change notification settings - Fork 545
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Idea to enhance nbviewer with js/css plugins to make nbviewer+ipynb secure, dynamic and mobile friendly #778
Comments
Idea to enhance nbviewer with js/css plugins to make nbviewer+ipynb secure, dynamic and mobile friendly @Carreau @minrk If interested please see the idea description. The proposed idea would create a new online publishing experience. New in a sense that we are still to get a free secure one click solution convenient both for the content publishers and for content readers on desktop and mobile. |
Idea to enhance nbviewer with js/css plugins to make nbviewer+ipynb secure, dynamic and mobile friendly @fperez If interested please see the idea description. The proposed idea would create a new online publishing experience. New in a sense that we are still to get a free secure one click solution convenient both for the content publishers and for content readers on desktop and mobile. |
Hi @kiwi0fruit. Thank you for sharing your idea. I'll try to answer your questions below. I'm not sure yet if they're possible or appropriate for nbviewer given its scope (nbconvert as a public service) or status (devs focusing on other parts of the Jupyter ecosystem), but maybe with some back and forth we can see what shakes out.
Notebooks can contain arbitrary JavaScript output and nbviewer will execute it on page load. We're relying on standard browser JS sandboxing to protect users which is not much different from protections in place when a user visits an arbitrary URL and JS loads on the page.
An admin of a self-hosted instance can modify the CSS, yes. A notebook can include arbitrary CSS and JS which affect the rendering on nbviewer. Here's an example: http://nbviewer.jupyter.org/gist/parente/35f5d3a9145bd3f030c8 There's currently no public CSS "API" declared in nbviewer to guarantee stability of CSS class names over time if a notebook chooses to override them, nor any formal metadata in the notebook spec that lets a notebook document declare a "theme" for how it should be rendered.
Yes.
Yes, to the same extent a user visiting any page on the web needs to worry about malicious JS.
It's possible to run both on the same host. You can run nbviewer with |
Hello @parente Thank you for your answers. They helped me to understand what should be done in order to make the user experience more secure than it's now: not simply rely on browser sandboxing but give a feel of safety like on GitHub site. |
Not long ago the Idea to enhance nbviewer with js/css plugins to make nbviewer+ipynb secure, dynamic and mobile friendly visited me. The proposed idea would create a new online publishing experience. New in a sense that we are still to get a free secure one click solution convenient both for the content publishers and for content readers on desktop and mobile.
And actually nbviewer is almost there. There a few things lacking though. And I'm curious if they can be added/checked:
Some notes
UPD
Discussion at kiwi0fruit/misc#1
Discussion at vuejs/vuepress#646
The text was updated successfully, but these errors were encountered: