Permalink
Browse files

Apply CSP sandboxing for nbconvert responses

These may contain untrusted content, so they should be treated as being
from a different domain to the notebook server.
  • Loading branch information...
takluyver committed Oct 22, 2018
1 parent 04a686d commit 107a89fce5f413fb5728c1c5d2c7788e1fb17491
Showing with 14 additions and 0 deletions.
  1. +14 −0 notebook/nbconvert/handlers.py
@@ -78,6 +78,13 @@ class NbconvertFileHandler(IPythonHandler):
SUPPORTED_METHODS = ('GET',)
@property
def content_security_policy(self):
# In case we're serving HTML/SVG, confine any Javascript to a unique
# origin so it can't interact with the notebook server.
return super(NbconvertFileHandler, self).content_security_policy + \
"; sandbox allow-scripts"
@web.authenticated
def get(self, format, path):
@@ -145,6 +152,13 @@ def get(self, format, path):
class NbconvertPostHandler(IPythonHandler):
SUPPORTED_METHODS = ('POST',)
@property
def content_security_policy(self):
# In case we're serving HTML/SVG, confine any Javascript to a unique
# origin so it can't interact with the notebook server.
return super(NbconvertPostHandler, self).content_security_policy + \
"; sandbox allow-scripts"
@web.authenticated
def post(self, format):
exporter = get_exporter(format, config=self.config)

0 comments on commit 107a89f

Please sign in to comment.