yuvipanda
commented
3 years ago Mathjax and requirejs are the only ones left now. However, rendered notebooks will probably still load 3rd party JS. Nothing much I can do about that.
Open yuvipanda opened 3 years ago
yuvipanda
commented
3 years ago Mathjax and requirejs are the only ones left now. However, rendered notebooks will probably still load 3rd party JS. Nothing much I can do about that.
psychemedia
commented
3 years ago Re: rendered notebooks - I guess it would be possible to sanitise and maybe even rewrite to a whitelisted set domains, although that would mean rewriting uploaded ipynb?
yuvipanda
commented
3 years ago Ah, hmm. I was only thinking of the things we load by default - requirejs and mathjax.
This brings up a question of how safe we want to consider the rendered notebook to be. GitHub runs no JS, nbviewer does. Currently, we're at the nbviewer level - running hypothes.is is already unsafe now....
psychemedia
commented
3 years ago To my mind, nbviewer rendering is far more useful than Github (plus Github renderer continues to have issues accessing notebook files...).
If you are looking at JupyterBook levels of rendering, then folk absolutely need ability to embed js powered outputs?
yuvipanda
commented
3 years ago yeah totally! I think I'll do this in a way where if we enable hypothesis, inetractivity in notebook stops. Otherwise it can keep going. This is a good compromise I think
psychemedia
commented
3 years ago In passing, I note this (old?) site relating to Hypothes.is security model: https://h.readthedocs.io/projects/client/en/latest/developers/security/
We load 3rd party JS for a lot of things. We can probably replace all of them, except hypothesis. We should. This might mean we need webpack tho.