In another thread I wrote: "Leo looks like an unverifiable cgi script to the server, which means one user (or small, *trusted *group of users) must be *fully* responsible for the damage Leo could cause. It might be possible to host a Leo server in a per-user (or per-small group) virtual machine somewhere, but that's it. I see no way to run a public, unsecured, Leo server."
Exactly these security issues arise in Jupyter <http://jupyter.org/>. The solutions in the Security in the Jupyter notebook server <https://jupyter-notebook.readthedocs.io/en/stable/security.html> seem appropriate for LeoWapp. It seems we have only two choices: 1. Limit access to LeoWapp to a single machine. Remote access is prohibited, unless the user has the token/password created when the server starts. We assume all local .leo files are trusted. 2. Use the full Jupyter security scheme. We distinguish between trusted and untrusted .leo files, and use authentication similar to Jupyter. Your comments, please. Edward -- You received this message because you are subscribed to the Google Groups "leo-editor" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/leo-editor. For more options, visit https://groups.google.com/d/optout.
