Merge pull request #3341 from takluyver/csp-sandbox-files

takluyver · web-flow · commit e321c8077654 · 2018-03-09T14:22:16.000Z
Use CSP header to treat served files as belonging to a separate origin
diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
@@ -601,6 +601,13 @@ def prepare(self):
 class AuthenticatedFileHandler(IPythonHandler, web.StaticFileHandler):
     """static files should only be accessible when logged in"""
 
+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(AuthenticatedFileHandler, self).content_security_policy + \
+                "; sandbox allow-scripts"
+
     @web.authenticated
     def get(self, path):
         if os.path.splitext(path)[1] == '.ipynb' or self.get_argument("download", False):
diff --git a/notebook/files/handlers.py b/notebook/files/handlers.py
@@ -26,6 +26,13 @@ class FilesHandler(IPythonHandler):
     a subclass of StaticFileHandler.
     """
 
+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(FilesHandler, self).content_security_policy + \
+               "; sandbox allow-scripts"
+
     @web.authenticated
     def head(self, path):
         self.get(path, include_body=False)
