upstream/ipython Commit - r19139:0d2565b7

180

181

.. DO NOT EDIT THIS LINE BEFORE RELEASE. INCOMPAT INSERTION POINT.

181

.. DO NOT EDIT THIS LINE BEFORE RELEASE. INCOMPAT INSERTION POINT.

182

183

IFrame embedding

183

Content Security Policy

184

````````````````

184

```````````````````````

185

186

The IPython Notebook and its APIs by default will only be allowed to be

186

The Content Security Policy is a web standard for adding a layer of security to

187

embedded in an iframe on the same origin.

187

detect and mitigate certain classes of attacks, including Cross Site Scripting

188

(XSS) and data injection attacks. This was introduced into the notebook to

189

ensure that the IPython Notebook and its APIs (by default) can only be embedded

190

in an iframe on the same origin.

188

191

189

Override ``headers['Content-Security-Policy']`` within your notebook

192

Override ``headers['Content-Security-Policy']`` within your notebook

190

configuration to extend for alternate domains and security settings.::

193

configuration to extend for alternate domains and security settings.::

191

194

192

c.NotebookApp.tornado_settings = {

195

c.NotebookApp.tornado_settings = {

193

'headers': {

196

'headers': {

194

'Content-Security-Policy': "default-src 'self' *.jupyter.org

197

'Content-Security-Policy': "default-src 'self' *.jupyter.org"

195

}

198

}

196

}

199

}

197

200

201

Example policies::

202

203

Content-Security-Policy: default-src 'self' https://*.jupyter.org

204

205

Matches embeddings on any subdomain of jupyter.org, so long as they are served

206

over SSL.

207

198

For a more thorough and accurate guide on Content Security Policies, check out

208

For a more thorough and accurate guide on Content Security Policies, check out

199

`MDN's Using Content Security Policy <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy>`_ for more examples.

209

`MDN's Using Content Security Policy <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy>`_ for more examples.

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             .. DO NOT EDIT THIS LINE BEFORE RELEASE. INCOMPAT INSERTION POINT.
-            IFrame embedding
+            Content Security Policy
-            ````````````````
+            ```````````````````````
-            The IPython Notebook and its APIs by default will only be allowed to be
+            The Content Security Policy is a web standard for adding a layer of security to
-            embedded in an iframe on the same origin.
+            detect and mitigate certain classes of attacks, including Cross Site Scripting
+            (XSS) and data injection attacks. This was introduced into the notebook to
+            ensure that the IPython Notebook and its APIs (by default) can only be embedded
+            in an iframe on the same origin.
             Override ``headers['Content-Security-Policy']`` within your notebook
             configuration to extend for alternate domains and security settings.::
                 c.NotebookApp.tornado_settings = {
                     'headers': {
-                        'Content-Security-Policy': "default-src 'self' *.jupyter.org
+                        'Content-Security-Policy': "default-src 'self' *.jupyter.org"
                     }
                 }
+            Example policies::
+                Content-Security-Policy: default-src 'self' https://*.jupyter.org
+            Matches embeddings on any subdomain of jupyter.org, so long as they are served
+            over SSL.
             For a more thorough and accurate guide on Content Security Policies, check out
             `MDN's Using Content Security Policy <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy>`_ for more examples.