Apply CSP sandboxing for nbconvert responses

These may contain untrusted content, so they should be treated as being from a different domain to the notebook server.
8 years ago · 107a89fce5
parent 04a686dbaf
commit 107a89fce5
1 changed files with 14 additions and 0 deletions
--- a/notebook/nbconvert/handlers.py
+++ b/notebook/nbconvert/handlers.py
@ -78,6 +78,13 @@ class NbconvertFileHandler(IPythonHandler):

    SUPPORTED_METHODS = ('GET',)

+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(NbconvertFileHandler, self).content_security_policy + \
+               "; sandbox allow-scripts"
+
    @web.authenticated
    def get(self, format, path):

@ -145,6 +152,13 @@ class NbconvertFileHandler(IPythonHandler):
 class NbconvertPostHandler(IPythonHandler):
    SUPPORTED_METHODS = ('POST',)

+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(NbconvertPostHandler, self).content_security_policy + \
+               "; sandbox allow-scripts"
+
    @web.authenticated
    def post(self, format):
        exporter = get_exporter(format, config=self.config)