I've thought a few times in the past couple of year about making a Jupyter Notebooks-style app. I always get hung up on how secure I'd need to make it.
It's come up again in a design I was working on, and then I saw this really
clean and simple notebooks proof-of-concept. So, I backed up to what even is a reasonable expectation of security for these things? They weren't hard to find, actually.
Here's what Jupyter says:The whole point of Jupyter is arbitrary code execution. We have no desire to limit what can be done with a notebook, which would negatively impact its utility.
Unlike other programs, a Jupyter notebook document includes output. Unlike other documents, that output exists in a context that can execute code (via Javascript).
The security problem we need to solve is that no code should execute just because a user has opened a notebook that they did not write. Like any other program, once a user decides to execute code in a notebook, it is considered trusted, and should be allowed to do anything
I think that's very reasonable, both for users and the developers of notebook-style apps.
Here is Observable's stance:Observable’s security model is that notebook content runs in a sandboxed, crossorigin iframe. This prevents any malicious content in notebooks from being able to access the surrounding page, so the risk of malicious JavaScript modifying the Observable UI, stealing credentials, or other nefarious activity, is nullified. It’s true that on other websites, loading resources from third-parties is a risky proposal given that jsdelivr or unpkg or another site could be taken over. But in the case of Observable, the impact of that would be minimal.
Once you define how far you have to go, this kind of app seems much more makable.