[carreau]

What's your security model for logged-in users, one of the reason we (the jupyter team) have nbviewer on a separate domain with no login is to have embedded JS and other potentially sensitive content to be rendered without risk. We've seen people trying many attack vectors against renderer like this one with for example injecting script tags in things like prompt numbers.

[sunaden]

Thanks for the q (I work at Deepnote) - all outputs that can contain potentially malicious JS are sandboxed in iframes so they can only access their local context and can't be used e.g. for XSS attacks.