Isolated Browsing for HTTPS Apps

httpsApp access to the jobs launched in projects with httpsAppIsolatedBrowsing project data access flag set to true will be wrapped in Isolated Browsing, which will restrict data transfers through the httpsApp job interface. Isolated Browsing prevents

• Data transfers over httpsApp interface between the user’s local computer and the job via APIs exposed by an httpsApp Web Application. For example, DXJupyterLab users will be unable to perform the following actions via httpApp interface against a job running DXJupyterLab wrapped in Isolated Browsing:

  • download a file to their local computer from the job or save a Jupyter notebook to their local computer

  • upload a file from their local computer to the job

  • invoke JupyterLab APIs requests using cURL against an httpsApp endpoint of the job

  • observe JSON and text information transferred between their local computer and the DXJupyterLab web application in the developer console of their local web browser

• Data transfers via copy/paste

  • copying text from a window on their local computer, then pasting the copied text into httpsApp application wrapped in Isolated Browsing

  • copying text from an httpsApp application wrapped in Isolated Browsing, then pasting the copied text into a window on their local computer

    • note that copy/paste still works within the httpsApp Web Applications.

httpsAppIsolatedBrowsing project setting applies to all httpsApp-enabled jobs in the project, e.g. jobs running DXJupyterLab, ttyd, LocusZoom apps or any other httpsApp-enabled app or applet, launched after the httpsAppIsolatedBrowsing project setting was set to true. httpsAppIsolatedBrowsing setting applies to all httpsApp ports. httpsApp-enabled executables must have httpsApp.shared_access set to NONE to run in projects with httpsAppIsolatedBrowsing set to true.

To set project's httpsAppIsolatedBrowsing setting to true, project's billTo must have httpsAppIsolatedBrowsingControl license, and the admin of a project should issue dx api project-xxxx update '{"httpsAppIsolatedBrowsing":true}' CLI command.

dx describe <project> shows project's httpsAppIsolatedBrowsing setting.

dx describe <job> shows job's httpsApps.isolatedBrowsing setting.

Using apps wrapped in Isolated Browsing

To use Isolated Browsing-wrapped apps effectively, it is helpful to have a conceptual understanding of how Isolated Browsing works.

In order to enforce the data transfer restrictions, the user's local web browser (on the left side of the Figure 1) does not interact with the job's httpsApp Web Application directly. Instead, the local browser receives graphical screen encodings of a separate, remote browser that is interacting with the httpsApp Web Application. Local browser forwards the keyboard and mouse events emitted by the user to the remote browser which then forwards these events to the httpsApp Web Application.

The remote browser is initialized to run in full screen mode, focusing user's attention on the job's httpsApp Web Application (e.g. JupyterLab interface) by eliminating the remote browser navigation elements from view. The user can exit remote browser full screen mode by hovering their mouse pointer near the top of the window and pressing the floating "X" that appears after a brief hover.

Exiting the full screen mode can help the user understand what remote browser tabs are currently opened or open another remote browser tab to visit another httpsApp applications on a separate port (e.g. to see DXJupyterLab's Spark UI interface, visit http://job:8081/ in the remote browser's navigation bar after executing Spark code) as seen in Figures 4 and 5 below. The user can place the remote browser back into full screen mode by clicking on the three-dot menu in the remote browser's top right corner, and pressing the rectangle-corners icon at the right edge of the Zoom menu item.

In case the user closes the remote browser window, the remote browser will be automatically restarted.

To minimize the possibility of unauthorized data transfers, the remote browser is configured to disallow accessing sites other than the httpsApp Web Applications, opening and saving of remote desktop files, installation of Chrome extensions, and accessing remote browser's DevTools console.

Key Bindings

Because the remote browser runs in a minimal Linux environment, httpsApp Web Applications will behave as if interacting with a Linux end user and will accept Linux key bindings. For example, DXJupyterLab will accept control c to copy text to the remote browser's copy/paste buffer even when the user is accessing the job from a MacOS that uses command c to copy text to the local copy/paste buffer. Thankfully, most MacOS DXJupyterLab bindings can be converted to Linux key bindings by using the control (^) MacOS keyboard modifier instead of the command (⌘) modifier.

Key binding-related workarounds

1. In DXJupyterLab, if having difficulties entering hashtag # for comments in a notebook cell, use control / instead. From a MacOS computer with a British keyboard, use right-option 3 (the ⌥ key to the right of the spacebar, followed by 3).

2. To navigate quickly within a DXJupyterLab cell in edit mode on a MacOS, use the fn left-arrow, fn right-arrow, fn up-arrow, fn down-arrow key strokes.