diff --git a/IPython/frontend/html/notebook/handlers.py b/IPython/frontend/html/notebook/handlers.py
index f275d18..cca8730 100644
--- a/IPython/frontend/html/notebook/handlers.py
+++ b/IPython/frontend/html/notebook/handlers.py
@@ -107,6 +107,7 @@ def authenticate_unless_readonly(f, self, *args, **kwargs):
     @web.authenticated
     def auth_f(self, *args, **kwargs):
         return f(self, *args, **kwargs)
+
     if self.application.read_only:
         return f(self, *args, **kwargs)
     else:
@@ -174,6 +175,14 @@ class AuthenticatedHandler(RequestHandler):
         return "%s://%s" % (proto, self.request.host)
 
 
+class AuthenticatedFileHandler(AuthenticatedHandler, web.StaticFileHandler):
+    """static files should only be accessible when logged in"""
+
+    @authenticate_unless_readonly
+    def get(self, path):
+        return web.StaticFileHandler.get(self, path)
+
+
 class ProjectDashboardHandler(AuthenticatedHandler):
 
     @authenticate_unless_readonly
diff --git a/IPython/frontend/html/notebook/notebookapp.py b/IPython/frontend/html/notebook/notebookapp.py
index 8c25a29..926cf5c 100644
--- a/IPython/frontend/html/notebook/notebookapp.py
+++ b/IPython/frontend/html/notebook/notebookapp.py
@@ -48,7 +48,8 @@ from .kernelmanager import MappingKernelManager
 from .handlers import (LoginHandler, LogoutHandler,
     ProjectDashboardHandler, NewHandler, NamedNotebookHandler,
     MainKernelHandler, KernelHandler, KernelActionHandler, IOPubHandler,
-    ShellHandler, NotebookRootHandler, NotebookHandler, RSTHandler
+    ShellHandler, NotebookRootHandler, NotebookHandler, RSTHandler,
+    AuthenticatedFileHandler,
 )
 from .notebookmanager import NotebookManager
 
@@ -104,7 +105,7 @@ class NotebookWebApplication(web.Application):
             (r"/notebooks", NotebookRootHandler),
             (r"/notebooks/%s" % _notebook_id_regex, NotebookHandler),
             (r"/rstservice/render", RSTHandler),
-            (r"/local/(.*)", web.StaticFileHandler, {'path' : notebook_manager.notebook_dir}),
+            (r"/local/(.*)", AuthenticatedFileHandler, {'path' : notebook_manager.notebook_dir}),
         ]
         settings = dict(
             template_path=os.path.join(os.path.dirname(__file__), "templates"),