Apply CSP sandboxing for nbconvert responses

These may contain untrusted content, so they should be treated as being from a different domain to the notebook server.
jupyter · Nov 16, 2018 · 4026ef0 · 4026ef0
1 parent 775cb20
commit 4026ef0
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/notebook/nbconvert/handlers.py b/notebook/nbconvert/handlers.py
@@ -78,6 +78,13 @@ class NbconvertFileHandler(IPythonHandler):
 
     SUPPORTED_METHODS = ('GET',)
 
+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(NbconvertFileHandler, self).content_security_policy + \
+               "; sandbox allow-scripts"
+
     @web.authenticated
     def get(self, format, path):
 
@@ -145,6 +152,13 @@ def get(self, format, path):
 class NbconvertPostHandler(IPythonHandler):
     SUPPORTED_METHODS = ('POST',)
 
+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(NbconvertPostHandler, self).content_security_policy + \
+               "; sandbox allow-scripts"
+
     @web.authenticated
     def post(self, format):
         exporter = get_exporter(format, config=self.config)