Re: [jupyter] Blocking copy/paste functionality to JupyterHub

[Roland Weber]

Hello Jeremy.

Blocking copy and paste is one of the main features that we wish to 
> achieve. Essentially, we would like to ensure that a JupyterHub notebook 
> user is able to use and modify their notebooks at will normally (via 
> typing, clicking and normal keystrokes),
>

When I write code, I normally copy longer variable names. Or 
functions I use more than once. Or import statements, where the path 
remains the same and only the name at the end changes. Disabled copy 
would make me feel thrown back into the age of typewriters. Let's hope I'm 
not representative of your user base, which will have to type out every 
occurrence of every variable and function name, fully qualified.
 

> but disallow them from inserting or removing data to and from said 
> notebooks via copy/paste. Additionally, we would like to prevent the the 
> mouse right click or equivalent keyboard event as well.
>

This is to prevent users from looking at the HTML source? Make sure to 
disable menu items that provide access to this feature, or that allow to 
save the current page as HTML. The notebook edit page is probably not 
stored in the browser cache, but you might want to double-check that.

The people that gave you these requirements are aware that users can still 
type everything they read into a second computer, or make "screenshots" 
with a mobile phone? Disabling copy doesn't stop anyone from getting 
data out of the system. It only makes that slightly more inconvenient, 
while at the same time compromising convenience for the intended use of the 
system as well. Folks who want to steal your data won't mind the extra 
hurdle very much. But folks who have to work with the system on a daily 
basis will.

cheers,
  Roland

-- 
You received this message because you are subscribed to the Google Groups 
"Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jupyter+unsubscr...@googlegroups.com.
To post to this group, send email to jupyter@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jupyter/28178317-a75e-47f3-9627-0f42cf3ce152%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [jupyter] Blocking copy/paste functionality to JupyterHub

[Matthias Bussonnier]

Thanks Jeremy,


On 20 February 2018 at 16:41, Jeremy Ho  wrote:

> Hi Matthias,
>
> Thank you for your response. For some background context, the notebooks
> will have access to sensitive data sources that we don't want to have
> leaving the notebooks, and we also don't want to have users can inserting
> their own content into the environment.
>

> Blocking copy and paste is one of the main features that we wish to
> achieve. Essentially, we would like to ensure that a JupyterHub notebook
> user is able to use and modify their notebooks at will normally (via
> typing, clicking and normal keystrokes), but disallow them from inserting
> or removing data to and from said notebooks via copy/paste. Additionally,
> we would like to prevent the the mouse right click or equivalent keyboard
> event as well.
>

I'm wondering if asking the users not to change the dataset might not be
better handled by changing data permission either on a file system on with
Read-Only credential.


> In the meantime, I will go ahead and take a look at inserting the
> Javascript example solution you have provided into the Jupyter Notebook
> image and evaluate if it meets our requirements. I will also experiment
> with additional Javascript code in that js file intercepting other events
> (equivalent to right click) in addition to Clipboard event. If you have any
> other ideas or suggestions, please let me know.
>

One additional feature you might want to do, for example to prevent
screenshot, is to blank the window when it loses focus.
I can't guarantied that any of these features can't be worked around though.
-- 
Matthias




>
> Thanks again,
> Jeremy
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jupyter+unsubscr...@googlegroups.com.
To post to this group, send email to jupyter@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jupyter/CANJQusV%3DJ60%3D5zeqNb7L%2B04-Wb62j7HT3XYGx%3D8kxPfZjE3Hbg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [jupyter] Blocking copy/paste functionality to JupyterHub

[Michael Milligan]

Hi Jeremy,

Your original question made it sound like you might be using the notebook
purely as a dashboard interface with some level of point-and-click
interactivity. This should be doable using the advice you have already
received, provided you have good control of your users work environment. If
you do not, then you must consider that any restrictions implemented in
client-side JS can be circumvented by browser extensions. This is before
you even consider the screenshot hole, which lately also includes cell
phone photos of the screen.

Now that you have added the requirement that users be able to input and
execute normal code cells, you may need to rethink your security model even
further. A few lines of Python is quite adequate to upload a dataset to an
outside server, load new JS code into the browser, or make arbitrary
changes to locally writable files. In the general case, preventing data
exfiltration is a hard problem, even with very strict controls on the users.

My advice, based on my organization's work to build a system with similar
requirements, is this: if you want to use a system as flexible as Jupyter,
forget about detailed control of how your users interact with data.
Instead, focus your technical effort on detailed logging of which users
have been given access to which data, educate your users about acceptable
data use, and make it crystal clear that they will be held accountable if
data is mishandled.

Regards,
Michael

On Feb 20, 2018 6:41 PM, "Jeremy Ho"  wrote:

Hi Matthias,

Thank you for your response. For some background context, the notebooks
will have access to sensitive data sources that we don't want to have
leaving the notebooks, and we also don't want to have users can inserting
their own content into the environment.

Blocking copy and paste is one of the main features that we wish to
achieve. Essentially, we would like to ensure that a JupyterHub notebook
user is able to use and modify their notebooks at will normally (via
typing, clicking and normal keystrokes), but disallow them from inserting
or removing data to and from said notebooks via copy/paste. Additionally,
we would like to prevent the the mouse right click or equivalent keyboard
event as well.

In the meantime, I will go ahead and take a look at inserting the
Javascript example solution you have provided into the Jupyter Notebook
image and evaluate if it meets our requirements. I will also experiment
with additional Javascript code in that js file intercepting other events
(equivalent to right click) in addition to Clipboard event. If you have any
other ideas or suggestions, please let me know.

Thanks again,
Jeremy


On Tuesday, 20 February 2018 10:17:24 UTC-8, Matthias Bussonnier wrote:

> Hello Jeremy,
>
> Thanks for your question,
>
> A few Questions: is copy and past the only thing you want to block ? Do
> you sill want users to be able to modify notebooks by typing ? Is the a
> specific requirement/certification you need to have ?
>
> A couple of clarification as well: JupyterHub act only as a proxy it is
> likely note JupyterHub, but Jupyter notebook itself that you will need to
> patch/configure to do so. It is not baked in but you probably can use
> extensions mechanism to do that.
>
> There are ways in Javascript to prevent copy pasting, for example:
>
> document.addEventListener('copy', function(e){
> e.clipboardData.setData('text/plain', 'NO');
> e.preventDefault(); // We want our data, not data from any selection,
> to be written to the clipboard
> });
>
> Will listen for copy events and replace the Data by "NO", you can also
> ping a custom URL to log when users are trying to copy.
> Adapt for past events as well.
>
> For the classic notebook you can either build that as an extension, or put
> it in users's `custom.js` (which I guess you will have control over)
>
> Does that make some sens ?
> --
> Matthias
>
>
>
>
> On 19 February 2018 at 12:22, Jujaga  wrote:
>
>> Hi all,
>>
>> Our group is currently leveraging zero-to-jupyterhub-k8s in order to
>> provide Notebooks to a multi-user environment via Kubernetes. However, we
>> also have a business requirement where we must prevent users from copying
>> information out of the Notebooks, as well as preventing the insertion of
>> code and other information into the Notebooks. We want to effectively block
>> any textual information to and from the client's browser while still
>> maintaining their ability to use the Notebooks.
>>
>> We were wondering if there exists a method of achieving this? We are more
>> than happy to provide more information and context as needed.
>>
>> Thanks in advance,
>> Jeremy
>>
>> --
>> Jeremy Ho
>> Software Engineer
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Project Jupyter" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to jupyter+u...@googlegroups.com.
>> To post to this group, send 

Re: [jupyter] Blocking copy/paste functionality to JupyterHub

[Jeremy Ho]

Hi Matthias,

Thank you for your response. For some background context, the notebooks 
will have access to sensitive data sources that we don't want to have 
leaving the notebooks, and we also don't want to have users can inserting 
their own content into the environment.

Blocking copy and paste is one of the main features that we wish to 
achieve. Essentially, we would like to ensure that a JupyterHub notebook 
user is able to use and modify their notebooks at will normally (via 
typing, clicking and normal keystrokes), but disallow them from inserting 
or removing data to and from said notebooks via copy/paste. Additionally, 
we would like to prevent the the mouse right click or equivalent keyboard 
event as well.

In the meantime, I will go ahead and take a look at inserting the 
Javascript example solution you have provided into the Jupyter Notebook 
image and evaluate if it meets our requirements. I will also experiment 
with additional Javascript code in that js file intercepting other events 
(equivalent to right click) in addition to Clipboard event. If you have any 
other ideas or suggestions, please let me know.

Thanks again,
Jeremy

On Tuesday, 20 February 2018 10:17:24 UTC-8, Matthias Bussonnier wrote:
>
> Hello Jeremy, 
>
> Thanks for your question, 
>
> A few Questions: is copy and past the only thing you want to block ? Do 
> you sill want users to be able to modify notebooks by typing ? Is the a 
> specific requirement/certification you need to have ?
>
> A couple of clarification as well: JupyterHub act only as a proxy it is 
> likely note JupyterHub, but Jupyter notebook itself that you will need to 
> patch/configure to do so. It is not baked in but you probably can use 
> extensions mechanism to do that. 
>
> There are ways in Javascript to prevent copy pasting, for example:
>
> document.addEventListener('copy', function(e){
> e.clipboardData.setData('text/plain', 'NO');
> e.preventDefault(); // We want our data, not data from any selection, 
> to be written to the clipboard
> });
>
> Will listen for copy events and replace the Data by "NO", you can also 
> ping a custom URL to log when users are trying to copy.
> Adapt for past events as well.
>
> For the classic notebook you can either build that as an extension, or put 
> it in users's `custom.js` (which I guess you will have control over)
>
> Does that make some sens ?
> -- 
> Matthias
>
>
>
>
> On 19 February 2018 at 12:22, Jujaga  
> wrote:
>
>> Hi all,
>>
>> Our group is currently leveraging zero-to-jupyterhub-k8s in order to 
>> provide Notebooks to a multi-user environment via Kubernetes. However, we 
>> also have a business requirement where we must prevent users from copying 
>> information out of the Notebooks, as well as preventing the insertion of 
>> code and other information into the Notebooks. We want to effectively block 
>> any textual information to and from the client's browser while still 
>> maintaining their ability to use the Notebooks.
>>
>> We were wondering if there exists a method of achieving this? We are more 
>> than happy to provide more information and context as needed.
>>
>> Thanks in advance,
>> Jeremy
>>
>> --
>> Jeremy Ho
>> Software Engineer
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Project Jupyter" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to jupyter+u...@googlegroups.com .
>> To post to this group, send email to jup...@googlegroups.com 
>> .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/jupyter/CAFMFVKuekm25o7gP0g2qTeDrGSeAP-WPVjBp2nsKWB4B3M4USw%40mail.gmail.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jupyter+unsubscr...@googlegroups.com.
To post to this group, send email to jupyter@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jupyter/09c7c325-e45f-4f7a-9d4f-69a4eb5a8ed7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [jupyter] Blocking copy/paste functionality to JupyterHub

[Matthias Bussonnier]

Hello Jeremy,

Thanks for your question,

A few Questions: is copy and past the only thing you want to block ? Do you
sill want users to be able to modify notebooks by typing ? Is the a
specific requirement/certification you need to have ?

A couple of clarification as well: JupyterHub act only as a proxy it is
likely note JupyterHub, but Jupyter notebook itself that you will need to
patch/configure to do so. It is not baked in but you probably can use
extensions mechanism to do that.

There are ways in Javascript to prevent copy pasting, for example:

document.addEventListener('copy', function(e){
e.clipboardData.setData('text/plain', 'NO');
e.preventDefault(); // We want our data, not data from any selection,
to be written to the clipboard
});

Will listen for copy events and replace the Data by "NO", you can also ping
a custom URL to log when users are trying to copy.
Adapt for past events as well.

For the classic notebook you can either build that as an extension, or put
it in users's `custom.js` (which I guess you will have control over)

Does that make some sens ?
-- 
Matthias




On 19 February 2018 at 12:22, Jujaga  wrote:

> Hi all,
>
> Our group is currently leveraging zero-to-jupyterhub-k8s in order to
> provide Notebooks to a multi-user environment via Kubernetes. However, we
> also have a business requirement where we must prevent users from copying
> information out of the Notebooks, as well as preventing the insertion of
> code and other information into the Notebooks. We want to effectively block
> any textual information to and from the client's browser while still
> maintaining their ability to use the Notebooks.
>
> We were wondering if there exists a method of achieving this? We are more
> than happy to provide more information and context as needed.
>
> Thanks in advance,
> Jeremy
>
> --
> Jeremy Ho
> Software Engineer
>
> --
> You received this message because you are subscribed to the Google Groups
> "Project Jupyter" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jupyter+unsubscr...@googlegroups.com.
> To post to this group, send email to jupyter@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/jupyter/CAFMFVKuekm25o7gP0g2qTeDrGSeAP-WPVjBp2nsKWB4B3M4USw%40mail.
> gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jupyter+unsubscr...@googlegroups.com.
To post to this group, send email to jupyter@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jupyter/CANJQusX%2BspY%2B1DSYz8XiAvPqOoCpBTJ3bWwvH1GgwpXHcx-GvQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[jupyter] Blocking copy/paste functionality to JupyterHub

[Jujaga]

Hi all,

Our group is currently leveraging zero-to-jupyterhub-k8s in order to
provide Notebooks to a multi-user environment via Kubernetes. However, we
also have a business requirement where we must prevent users from copying
information out of the Notebooks, as well as preventing the insertion of
code and other information into the Notebooks. We want to effectively block
any textual information to and from the client's browser while still
maintaining their ability to use the Notebooks.

We were wondering if there exists a method of achieving this? We are more
than happy to provide more information and context as needed.

Thanks in advance,
Jeremy

--
Jeremy Ho
Software Engineer

-- 
You received this message because you are subscribed to the Google Groups 
"Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jupyter+unsubscr...@googlegroups.com.
To post to this group, send email to jupyter@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jupyter/CAFMFVKuekm25o7gP0g2qTeDrGSeAP-WPVjBp2nsKWB4B3M4USw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.