Idea to enhance nbviewer with js/css plugins to make nbviewer+ipynb secure, dynamic and mobile friendly

[kiwi0fruit]

Not long ago the Idea to enhance nbviewer with js/css plugins to make nbviewer+ipynb secure, dynamic and mobile friendly visited me. The proposed idea would create a new online publishing experience. New in a sense that we are still to get a free secure one click solution convenient both for the content publishers and for content readers on desktop and mobile.

And actually nbviewer is almost there. There a few things lacking though. And I'm curious if they can be added/checked:

• Should the person who was given the link to nbviewer worry about malicious JavaScript that was inserted by unknown notebook creator (or other malicious python code),
• Can the css theme and html template of nbviewer be changed? At least at the self-hosted server (I guess it should be possible). But it would be really nice if a notebook can set in a json a theme to pick from supported by nbviewer.
• And does nbviewer support interactive plots (interactive python or interactive js)? If not is there a way add them securely? If yes should the person who was given the link to nbviewer worry about malicious JavaScript?
• Is it easy to run nbviewer locally on the same machine as Jupyter? It would be useful to write a Notebook and see how it would be viewed right there.

Some notes

1. From blog.jupyter.org

   Second, because of security concerns, some features available on nbviewer will not be available on GitHub. For example, GitHub will not render any dynamic output display that uses JavaScript, custom CSS, and most custom HTML embedded in Markdown or in outputs.

UPD

Discussion at kiwi0fruit/misc#1
Discussion at vuejs/vuepress#646

[kiwi0fruit]

Idea to enhance nbviewer with js/css plugins to make nbviewer+ipynb secure, dynamic and mobile friendly

@Carreau @minrk If interested please see the idea description. The proposed idea would create a new online publishing experience. New in a sense that we are still to get a free secure one click solution convenient both for the content publishers and for content readers on desktop and mobile.

[kiwi0fruit]

Idea to enhance nbviewer with js/css plugins to make nbviewer+ipynb secure, dynamic and mobile friendly

@fperez If interested please see the idea description. The proposed idea would create a new online publishing experience. New in a sense that we are still to get a free secure one click solution convenient both for the content publishers and for content readers on desktop and mobile.

[parente]

Hi @kiwi0fruit. Thank you for sharing your idea. I'll try to answer your questions below. I'm not sure yet if they're possible or appropriate for nbviewer given its scope (nbconvert as a public service) or status (devs focusing on other parts of the Jupyter ecosystem), but maybe with some back and forth we can see what shakes out.

Should the person who was given the link to nbviewer worry about malicious JavaScript that was inserted by unknown notebook creator (or other malicious python code),

Notebooks can contain arbitrary JavaScript output and nbviewer will execute it on page load. We're relying on standard browser JS sandboxing to protect users which is not much different from protections in place when a user visits an arbitrary URL and JS loads on the page.

Can the css theme and html template of nbviewer be changed? At least at the self-hosted server (I guess it should be possible). But it would be really nice if a notebook can set in a json a theme to pick from supported by nbviewer.

An admin of a self-hosted instance can modify the CSS, yes. A notebook can include arbitrary CSS and JS which affect the rendering on nbviewer. Here's an example: http://nbviewer.jupyter.org/gist/parente/35f5d3a9145bd3f030c8

There's currently no public CSS "API" declared in nbviewer to guarantee stability of CSS class names over time if a notebook chooses to override them, nor any formal metadata in the notebook spec that lets a notebook document declare a "theme" for how it should be rendered.

And does nbviewer support interactive plots (interactive python or interactive js)? If not is there a way add them securely?

Yes.

If yes should the person who was given the link to nbviewer worry about malicious JavaScript?

Yes, to the same extent a user visiting any page on the web needs to worry about malicious JS.

Is it easy to run nbviewer locally on the same machine as Jupyter? It would be useful to write a Notebook and see how it would be viewed right there.

It's possible to run both on the same host. You can run nbviewer with --localfiles =/path/to/your/notebook/dir and view any notebook files and folders you save from Juptyer Notebook/Lab via the nbviewer instance. There's no conveniences built into Notebook, Lab, or nbviewer to make switching between viewing and editing.

[kiwi0fruit]

Hello @parente

Thank you for your answers. They helped me to understand what should be done in order to make the user experience more secure than it's now: not simply rely on browser sandboxing but give a feel of safety like on GitHub site.

[kiwi0fruit]

TODO for myself:

• Play with gatsby or vuepress in order to try to leverage existing themes and plugins. Also use nbconvert (or notedown). I'm not sure if this way would require nbviewer at all or if this way is fast enough for online on-demand conversion.