Support custom widgets

[vivek1729]

Addresses #4 to support 3rd party widgets loaded from a CDN. We follow Jupyter standards and base the custom widget loader implementation off the HTML manager example in the ipywidgets project.

Additional goodies with this PR

• Extensibility point to override the reference custom widget loader we provide
• Flexibility to update the default base CDN Url for custom widgets (we default to https://unpkg.com)
• Minor bug fix in widget-comms.ts
• Address TS linting errors in widget-manager tests

Here's an example of the ipyleaflet custom widget in action:

cc: @captainsafia

[captainsafia]

@rgbkrk Thoughts on this model for passing custom properties to the JavaScript assets?

[rgbkrk]

Interesting -- this makes it so a custom frontend can specify where custom widgets are allowed to be loaded from?

Probably worth noting that any output can add a tag to say to load other assets, so that's another vector for attack (though it means you need some HTML output already emitted in the document to use it).

[captainsafia]

Interesting -- this makes it so a custom frontend can specify where custom widgets are allowed to be loaded from?

Correct. This allows you to set the CDN to use when loading widgets. The HTML widget manager does something similar (ref).

Probably worth noting that any output can add a tag to say to load other assets, so that's another vector for attack (though it means you need some HTML output already emitted in the document to use it).

Good point. The logic currently loads the the attribute from any script tag. I believe the way the for-loop is setup will cause it to favor the most recently inserted script tag which might be a problem.

@vivek1729 Thoughts?

[vivek1729]

That's a good point @rgbkrk. @captainsafia rightly pointed out that I followed the pattern that the HTML widget manager to override the default CDN URL. The logic of reading and looping over script tags is also based off the HTML Widget manager (ref).

Good point. The logic currently loads the the attribute from any script tag. I believe the way the for-loop is setup will cause it to favor the most recently inserted script tag which might be a problem.

Trying to understand how favoring the most recent added script tag might be a problem. Ideally, we'd hope that there's only 1 script tag that specifies the data-jupyter-widgets-cdn tag. Looping over script tags potentially opens up the possibility of script tags being added dynamically which can lead to the cdn URL being over-written. However, we should also note that the CDN url is set when the WidgetManager is getting constructed. Since the WidgetManager is a singleton, this would only happen once and it makes sense because we don't really want to have the base CDN URL change very often. It's more like a one-time setup configuration.

[captainsafia]

The WidgetManager gets instantiated once when the first widget is rendered onto the page. It's possible for a nefarious to render a HTML output (or inject HTML into the page in some other way) that renders a script tag with a malicious CDN onto the page then render a second output containing the ipywidget.

@jasongrout Do you have any thoughts on this since I believe you implemented the original code in the HTML manager?

[vivek1729]

@captainsafia, thanks for the additional details. How do you suggest we address this concern?

[captainsafia]

For now, I'm thinking that we:

• Merge this PR so we can get the basic groundwork in
• Ship an alpha release of the package
• Open an issue to address the security issue, particularly use the alpha package to create an MVP of what the attack would look like, also see if we can get some insight from the ipywidgets folks on this
• Followup on the issue from Add support for Output widgets #3 as needed

If that sounds good to you we can move forward with it.

[vivek1729]

@captainsafia , this sounds like a good plan to me.

[vivek1729]

I'll proceed with the PR when you get a chance to do a final review and approve.

[captainsafia]

@vivek1729 Mind creating a new issue for the CDN url thing?

[vivek1729]

Added #50 to track the security issue and engage with ipywidgets folks.