Use content_security_policy property to add restriction when serving user files

8 years ago · 694ed72fb4
parent 901f1e9492
commit 694ed72fb4
2 changed files with 14 additions and 8 deletions
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@ -601,6 +601,13 @@ class Template404(IPythonHandler):
 class AuthenticatedFileHandler(IPythonHandler, web.StaticFileHandler):
    """static files should only be accessible when logged in"""

+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(AuthenticatedFileHandler, self).content_security_policy + \
+                "; sandbox allow-scripts"
+
    @web.authenticated
    def get(self, path):
        if os.path.splitext(path)[1] == '.ipynb' or self.get_argument("download", False):
@ -629,10 +636,6 @@ class AuthenticatedFileHandler(IPythonHandler, web.StaticFileHandler):
        # disable browser caching, rely on 304 replies for savings
        if "v" not in self.request.arguments:
            self.add_header("Cache-Control", "no-cache")
-
-        # In case we're serving HTML/SVG, confine any Javascript to a unique
-        # origin so it can't interact with the notebook server.
-        self.set_header('Content-Security-Policy', 'sandbox allow-scripts')
    
    def compute_etag(self):
        return None
--- a/notebook/files/handlers.py
+++ b/notebook/files/handlers.py
@ -26,6 +26,13 @@ class FilesHandler(IPythonHandler):
    a subclass of StaticFileHandler.
    """

+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(FilesHandler, self).content_security_policy + \
+               "; sandbox allow-scripts"
+
    @web.authenticated
    def head(self, path):
        self.get(path, include_body=False)
@ -64,10 +71,6 @@ class FilesHandler(IPythonHandler):
                else:
                    self.set_header('Content-Type', 'text/plain; charset=UTF-8')

-        # In case we're serving HTML/SVG, confine any Javascript to a unique
-        # origin so it can't interact with the notebook server.
-        self.set_header('Content-Security-Policy', 'sandbox allow-scripts')
-
        if include_body:
            if model['format'] == 'base64':
                b64_bytes = model['content'].encode('ascii')