Hi Jeremy, Your original question made it sound like you might be using the notebook purely as a dashboard interface with some level of point-and-click interactivity. This should be doable using the advice you have already received, provided you have good control of your users work environment. If you do not, then you must consider that any restrictions implemented in client-side JS can be circumvented by browser extensions. This is before you even consider the screenshot hole, which lately also includes cell phone photos of the screen.
Now that you have added the requirement that users be able to input and execute normal code cells, you may need to rethink your security model even further. A few lines of Python is quite adequate to upload a dataset to an outside server, load new JS code into the browser, or make arbitrary changes to locally writable files. In the general case, preventing data exfiltration is a hard problem, even with very strict controls on the users. My advice, based on my organization's work to build a system with similar requirements, is this: if you want to use a system as flexible as Jupyter, forget about detailed control of how your users interact with data. Instead, focus your technical effort on detailed logging of which users have been given access to which data, educate your users about acceptable data use, and make it crystal clear that they will be held accountable if data is mishandled. Regards, Michael On Feb 20, 2018 6:41 PM, "Jeremy Ho" <[email protected]> wrote: Hi Matthias, Thank you for your response. For some background context, the notebooks will have access to sensitive data sources that we don't want to have leaving the notebooks, and we also don't want to have users can inserting their own content into the environment. Blocking copy and paste is one of the main features that we wish to achieve. Essentially, we would like to ensure that a JupyterHub notebook user is able to use and modify their notebooks at will normally (via typing, clicking and normal keystrokes), but disallow them from inserting or removing data to and from said notebooks via copy/paste. Additionally, we would like to prevent the the mouse right click or equivalent keyboard event as well. In the meantime, I will go ahead and take a look at inserting the Javascript example solution you have provided into the Jupyter Notebook image and evaluate if it meets our requirements. I will also experiment with additional Javascript code in that js file intercepting other events (equivalent to right click) in addition to Clipboard event. If you have any other ideas or suggestions, please let me know. Thanks again, Jeremy On Tuesday, 20 February 2018 10:17:24 UTC-8, Matthias Bussonnier wrote: > Hello Jeremy, > > Thanks for your question, > > A few Questions: is copy and past the only thing you want to block ? Do > you sill want users to be able to modify notebooks by typing ? Is the a > specific requirement/certification you need to have ? > > A couple of clarification as well: JupyterHub act only as a proxy it is > likely note JupyterHub, but Jupyter notebook itself that you will need to > patch/configure to do so. It is not baked in but you probably can use > extensions mechanism to do that. > > There are ways in Javascript to prevent copy pasting, for example: > > document.addEventListener('copy', function(e){ > e.clipboardData.setData('text/plain', 'NO'); > e.preventDefault(); // We want our data, not data from any selection, > to be written to the clipboard > }); > > Will listen for copy events and replace the Data by "NO", you can also > ping a custom URL to log when users are trying to copy. > Adapt for past events as well. > > For the classic notebook you can either build that as an extension, or put > it in users's `custom.js` (which I guess you will have control over) > > Does that make some sens ? > -- > Matthias > > > > > On 19 February 2018 at 12:22, Jujaga <[email protected]> wrote: > >> Hi all, >> >> Our group is currently leveraging zero-to-jupyterhub-k8s in order to >> provide Notebooks to a multi-user environment via Kubernetes. However, we >> also have a business requirement where we must prevent users from copying >> information out of the Notebooks, as well as preventing the insertion of >> code and other information into the Notebooks. We want to effectively block >> any textual information to and from the client's browser while still >> maintaining their ability to use the Notebooks. >> >> We were wondering if there exists a method of achieving this? We are more >> than happy to provide more information and context as needed. >> >> Thanks in advance, >> Jeremy >> >> -- >> Jeremy Ho >> Software Engineer >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Project Jupyter" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> >> To view this discussion on the web visit https://groups.google.com/d/ms >> gid/jupyter/CAFMFVKuekm25o7gP0g2qTeDrGSeAP-WPVjBp2nsKWB4B3M4USw%40mail.gm >> ail.com >> <https://groups.google.com/d/msgid/jupyter/CAFMFVKuekm25o7gP0g2qTeDrGSeAP-WPVjBp2nsKWB4B3M4USw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/ msgid/jupyter/09c7c325-e45f-4f7a-9d4f-69a4eb5a8ed7%40googlegroups.com <https://groups.google.com/d/msgid/jupyter/09c7c325-e45f-4f7a-9d4f-69a4eb5a8ed7%40googlegroups.com?utm_medium=email&utm_source=footer> . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CAPuy8grAcHV4wRUxT7WPsvSWUbMUF5BjX2vgwj%3D2_Kv-qrrtHQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
