Merge pull request #3341 from takluyver/csp-sandbox-files

Use CSP header to treat served files as belonging to a separate origin
jupyter · Mar 9, 2018 · e321c80 · e321c80
2 parents c1c7d3d + 694ed72
commit e321c80
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
@@ -601,6 +601,13 @@ def prepare(self):
 class AuthenticatedFileHandler(IPythonHandler, web.StaticFileHandler):
     """static files should only be accessible when logged in"""
 
+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(AuthenticatedFileHandler, self).content_security_policy + \
+                "; sandbox allow-scripts"
+
     @web.authenticated
     def get(self, path):
         if os.path.splitext(path)[1] == '.ipynb' or self.get_argument("download", False):

diff --git a/notebook/files/handlers.py b/notebook/files/handlers.py
@@ -26,6 +26,13 @@ class FilesHandler(IPythonHandler):
     a subclass of StaticFileHandler.
     """
 
+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(FilesHandler, self).content_security_policy + \
+               "; sandbox allow-scripts"
+
     @web.authenticated
     def head(self, path):
         self.get(path, include_body=False)