Skip to content
Permalink
Browse files Browse the repository at this point in the history
Apply CSP sandboxing for nbconvert responses
These may contain untrusted content, so they should be treated as being
from a different domain to the notebook server.
  • Loading branch information
takluyver committed Oct 22, 2018
1 parent 04a686d commit 107a89f
Showing 1 changed file with 14 additions and 0 deletions.
14 changes: 14 additions & 0 deletions notebook/nbconvert/handlers.py
Expand Up @@ -78,6 +78,13 @@ class NbconvertFileHandler(IPythonHandler):

SUPPORTED_METHODS = ('GET',)

@property
def content_security_policy(self):
# In case we're serving HTML/SVG, confine any Javascript to a unique
# origin so it can't interact with the notebook server.
return super(NbconvertFileHandler, self).content_security_policy + \
"; sandbox allow-scripts"

@web.authenticated
def get(self, format, path):

Expand Down Expand Up @@ -145,6 +152,13 @@ def get(self, format, path):
class NbconvertPostHandler(IPythonHandler):
SUPPORTED_METHODS = ('POST',)

@property
def content_security_policy(self):
# In case we're serving HTML/SVG, confine any Javascript to a unique
# origin so it can't interact with the notebook server.
return super(NbconvertPostHandler, self).content_security_policy + \
"; sandbox allow-scripts"

@web.authenticated
def post(self, format):
exporter = get_exporter(format, config=self.config)
Expand Down

0 comments on commit 107a89f

Please sign in to comment.