Merge pull request #3341 from takluyver/csp-sandbox-files

Use CSP header to treat served files as belonging to a separate origin
8 years ago · e321c80776
parent c1c7d3df59 694ed72fb4
commit e321c80776
2 changed files with 14 additions and 0 deletions
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@ -601,6 +601,13 @@ class Template404(IPythonHandler):
 class AuthenticatedFileHandler(IPythonHandler, web.StaticFileHandler):
    """static files should only be accessible when logged in"""

+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(AuthenticatedFileHandler, self).content_security_policy + \
+                "; sandbox allow-scripts"
+
    @web.authenticated
    def get(self, path):
        if os.path.splitext(path)[1] == '.ipynb' or self.get_argument("download", False):
--- a/notebook/files/handlers.py
+++ b/notebook/files/handlers.py
@ -26,6 +26,13 @@ class FilesHandler(IPythonHandler):
    a subclass of StaticFileHandler.
    """

+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(FilesHandler, self).content_security_policy + \
+               "; sandbox allow-scripts"
+
    @web.authenticated
    def head(self, path):
        self.get(path, include_body=False)