Sandbox HTML result rendering

Zeppelin display system allows users to render arbitrary HTML results inside a Note. This includes Javascript inlined in the HTML data to be rendered.

It can be used for a potential xss attack, when a user open a shared notebook from another user, which includes an exploit code inside HTML result in the Note.

There could a couple of different approaches to prevent this

a. Don't render HTML results unless the user explicitly 'trust' the Note.

    In this way, when a Note includes HTML results, Zeppelin UI can ask the user if user want to trust and render HTML result or not.

b. Sandbox HTML result rendering using iframe

    In this way, HTML result is rendered inside an iframe came from different domain. Because browser's xss protection, it prevents potential exploits rendered in iframe access to any data in the parent window (Zeppelin). This approach is implemented in Google Colab.

IMO, (b) is more favorable while it does not make security depends on the 'trust' of a user. However, there's some expected complexity on implementation and configuration, such as

• Passing result data to render from parent window to the iframe came from a different domain
• Automatically resize iframe based on its content
• client webbrowser should able to access Iframe domain. Or should able to configure an alternative domain to load iframe source.