Show More
| @@ -180,20 +180,30 b' Backwards incompatible changes' | |||
|
|
180 | 180 | |
|
|
181 | 181 | .. DO NOT EDIT THIS LINE BEFORE RELEASE. INCOMPAT INSERTION POINT. |
|
|
182 | 182 | |
|
|
183 | IFrame embedding | |
|
|
184 | ```````````````` | |
|
|
183 | Content Security Policy | |
|
|
184 | ``````````````````````` | |
|
|
185 | 185 | |
|
|
186 | The IPython Notebook and its APIs by default will only be allowed to be | |
|
|
187 | embedded in an iframe on the same origin. | |
|
|
186 | The Content Security Policy is a web standard for adding a layer of security to | |
|
|
187 | detect and mitigate certain classes of attacks, including Cross Site Scripting | |
|
|
188 | (XSS) and data injection attacks. This was introduced into the notebook to | |
|
|
189 | ensure that the IPython Notebook and its APIs (by default) can only be embedded | |
|
|
190 | in an iframe on the same origin. | |
|
|
188 | 191 | |
|
|
189 | 192 | Override ``headers['Content-Security-Policy']`` within your notebook |
|
|
190 | 193 | configuration to extend for alternate domains and security settings.:: |
|
|
191 | 194 | |
|
|
192 | 195 | c.NotebookApp.tornado_settings = { |
|
|
193 | 196 | 'headers': { |
|
|
194 | 'Content-Security-Policy': "default-src 'self' *.jupyter.org | |
|
|
197 | 'Content-Security-Policy': "default-src 'self' *.jupyter.org" | |
|
|
195 | 198 | } |
|
|
196 | 199 | } |
|
|
197 | 200 | |
|
|
201 | Example policies:: | |
|
|
202 | ||
|
|
203 | Content-Security-Policy: default-src 'self' https://*.jupyter.org | |
|
|
204 | ||
|
|
205 | Matches embeddings on any subdomain of jupyter.org, so long as they are served | |
|
|
206 | over SSL. | |
|
|
207 | ||
|
|
198 | 208 | For a more thorough and accurate guide on Content Security Policies, check out |
|
|
199 | 209 | `MDN's Using Content Security Policy <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy>`_ for more examples. |
General Comments 0
You need to be logged in to leave comments.
Login now