Use CSP header to treat served files as belonging to a separate origin

notebook/base/handlers.py

@@ -629,6 +629,10 @@ class AuthenticatedFileHandler(IPythonHandler, web.StaticFileHandler):
         # disable browser caching, rely on 304 replies for savings
         if "v" not in self.request.arguments:
             self.add_header("Cache-Control", "no-cache")
+
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        self.set_header('Content-Security-Policy', 'sandbox allow-scripts')
     
     def compute_etag(self):
         return None

notebook/files/handlers.py

@@ -64,6 +64,10 @@ class FilesHandler(IPythonHandler):
                 else:
                     self.set_header('Content-Type', 'text/plain; charset=UTF-8')
 
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        self.set_header('Content-Security-Policy', 'sandbox allow-scripts')
+
         if include_body:
             if model['format'] == 'base64':
                 b64_bytes = model['content'].encode('ascii')