WARNING: THIS SITE IS A MIRROR OF GITHUB.COM / IT CANNOT LOGIN OR REGISTER ACCOUNTS / THE CONTENTS ARE PROVIDED AS-IS / THIS SITE ASSUMES NO RESPONSIBILITY FOR ANY DISPLAYED CONTENT OR LINKS / IF YOU FOUND SOMETHING MAY NOT GOOD FOR EVERYONE, CONTACT ADMIN AT ilovescratch@foxmail.com
Skip to content

Potentially insecure CDN URL override mechanism for custom widgets #50

New issue
New issue
Open
Open
Potentially insecure CDN URL override mechanism for custom widgets#50
@vivek1729

Description

@vivek1729
vivek1729
opened on Dec 3, 2020

The frontend code for 3rd party widgets is typically hosted on public CDNs and retrieved by the WidgetManager via HTTP calls.
Current implementation for custom widget support provides the following mechanism to override the base CDN URL for fetching widgets:

<script data-jupyter-widgets-cdn="https://cdn.jsdelivr.net/npm" src="bundle.js"></script>

The data-jupyter-widgets-cdn attribute on a script tag is based off the HTML Manager example in the ipywidgets project. This extensibility point on the DOM can potentially allow a user to override the base CDN URL to a malicious link and might open up avenues for scripting attacks.

We'd want to better understand this design choice, investigate and address this security issue for the jupyter-widgets package.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions