Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potentially insecure CDN URL override mechanism for custom widgets #50

Open
vivek1729 opened this issue Dec 3, 2020 · 0 comments
Open

Potentially insecure CDN URL override mechanism for custom widgets #50

vivek1729 opened this issue Dec 3, 2020 · 0 comments

Comments

@vivek1729
Copy link
Collaborator

The frontend code for 3rd party widgets is typically hosted on public CDNs and retrieved by the WidgetManager via HTTP calls.
Current implementation for custom widget support provides the following mechanism to override the base CDN URL for fetching widgets:

<script data-jupyter-widgets-cdn="https://cdn.jsdelivr.net/npm" src="bundle.js"></script>

The data-jupyter-widgets-cdn attribute on a script tag is based off the HTML Manager example in the ipywidgets project. This extensibility point on the DOM can potentially allow a user to override the base CDN URL to a malicious link and might open up avenues for scripting attacks.

We'd want to better understand this design choice, investigate and address this security issue for the jupyter-widgets package.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vivek1729