Allow links in rendered html content

[jacobtolar]

When jupyter notebook renders html content, links don't work. This is unintuitive and confusing.

This is because of the strict sandbox/content security policy enabled on iframes.

See:

notebook/notebook/templates/view.html

Line 26 in 7de8df4

<iframe id="iframe" sandbox="allow-scripts" src="{{file_url}}"></iframe>

notebook/notebook/base/handlers.py

Lines 694 to 699 in 7de8df4

	@property
	def content_security_policy(self):
	# In case we're serving HTML/SVG, confine any Javascript to a unique
	# origin so it can't interact with the notebook server.
	return super(AuthenticatedFileHandler, self).content_security_policy + \
	"; sandbox allow-scripts"

I suggest expanding this to include at least allow-popups allow-popups-to-escape-sandbox (in both cases above) to make it possible for links to work. I am happy to send a PR if this is an acceptable solution.

Related issue with sandboxing: #3652

As an example, this link won't work (currently) when rendered by Jupyter. You'd have to explicitly open it in a new tab. (Of course, if target=_blank is missing, it doesn't work either).

<body>
        <a href="https://jupyter.org/" target="_blank">https://jupyter.org/</a>
</body>

With the changes suggested above, at least links targeting new windows will work.