Isolated Browsing for HTTPS Apps

What is Isolated Browsing?

Isolated Browsing is a project-level security feature that restricts data transfer between HTTPS apps and the user's local computer. It prevents direct communication between the httpsApp Web Application and the user's local web browser.

Isolated Browsing applies to all httpsApp-enabled jobs in the project, such as jobs running DXJupyterLab, ttyd, LocusZoom, or any other httpsApp-enabled app or applet.

Enable Isolated Browsing

To enable Isolated Browsing in a project you have ADMIN access to:

1. Ensure the project's billTo has the httpsAppIsolatedBrowsingControl license.

2. Set the project's httpsAppIsolatedBrowsing data access control flag to true.

You can set the project's data access control flags using the DNAnexus CLI.

# As a project admin, set a project's 'httpsAppIsolatedBrowsing' flag to 'true' 
dx api project-xxxx update '{"httpsAppIsolatedBrowsing":true}'

You can also use the CLI to check whether the httpsAppIsolatedBrowsing flag is set.

# Show a project's 'httpsAppIsolatedBrowsing' flag
dx describe project-xxxx
# Show a job's 'httpsApps.isolatedBrowsing' flag
dx describe job-xxxx

How Isolated Browsing Works

Isolated Browsing adds an extra layer to interacting with HTTPS apps. It restricts data transfers between your computer and all httpsApp Web Applications exposed by a job.

Instead of your local web browser directly interacting with the httpsApp Web Application, a separate remote browser handles this communication. Your local browser receives visual updates (screen encodings) from the remote browser, and your actions (keyboard and mouse input) are sent to the remote browser, which then forwards them to the application.

The remote browser starts in full screen mode, focusing user's attention on the job's httpsApp Web Application, such as JupyterLab interface. This hides the remote browser's navigation elements from view.

You can exit the remote browser's full screen mode by hovering your mouse pointer near the top of the window and selecting the floating "X" that appears.

When you exit the full screen mode, you can see the tabs opened in the remote browser. You can also open another remote browser tab to visit another httpsApp application on a different httpsApp port.

For example, to see DXJupyterLab's Spark UI interface, visit http://job:8081/ in the remote browser's navigation bar after executing Spark code.

To re-enter the full screen mode, click the vertical three-dot menu in the remote browser's top right corner, and then in the Zoom menu item, click the rectangle-corners icon. You can also use the Zoom controls to enlarge or reduce the size of your app.

If you close the remote browser window, the remote browser is automatically restarted.

To minimize the risk of unauthorized data transfers, the remote browser is configured to disallow accessing sites other than the httpsApp Web Applications, opening and saving of remote desktop files, installation of Chrome extensions, and accessing the remote browser's DevTools.

Data Transfer Restrictions Enforced by Isolated Browsing

Data transfers over the httpsApp interface between your local computer and the job via APIs exposed by an httpsApp Web Application are disabled.

For example, with Isolated Browsing, you cannot perform the following actions via httpApp interface against a job running DXJupyterLab:

• Download a file to your local computer from the job, or save a Jupyter notebook to your local computer.

• Upload a file from your local computer to the job.

• Invoke JupyterLab API requests using cURL against an httpsApp endpoint of the job.

• Observe JSON and text information transferred between your local computer and the DXJupyterLab web application in the developer console of your local web browser.

Copy and Paste Restrictions Enforced by Isolated Browsing

Isolated Browsing restricts clipboard operations (copy and paste) between your local computer and the remote browser to prevent data exfiltration.

• Copying from remote browser to local computer is disabled. You cannot copy text or other data from the httpsApp Web Application and paste it into an application on your local computer.

• Pasting from local computer to remote browser is limited. You can copy text from your local computer and paste it into the httpsApp Web Application, subject to a size limit configured by a project administrator. If the limit is set to 0, pasting is disabled.

• Copying and pasting within the remote browser is allowed. Copying and pasting text entirely within the remote browser (for example, from one JupyterLab notebook cell to another) is permitted without restriction.

Isolated Browsing doesn't prevent you from taking screenshots or photographs of the httpsApp Web Application interface.

Configuring the Paste Limit

A project administrator can set the maximum number of bytes allowed for pasting from the local clipboard to the remote browser by using the /project-xxxx/update API method and setting the httpsAppIsolatedBrowsingOptions field.

The value for pasteFromLocalClipboardMaxBytes must be between 0 and 262,144 bytes, where 0 disables paste entirely.

# Example: Set the paste limit to 1,024 bytes
dx api project-xxxx update '{"httpsAppIsolatedBrowsingOptions": {"pasteFromLocalClipboardMaxBytes": 1024}}'

Paste Behavior and Limitations

When pasting from your local computer into a remote browser, be aware of the following behaviors and limitations:

Browser Support and Permissions

• Supported Browsers: The paste functionality works on local Chrome, Chromium, and Microsoft Edge browsers. It does not work on Firefox or Safari.

• Required Permissions: Your local browser displays a dialog asking you to allow the site to "See Text and images copied to the clipboard". You must click "Allow" to enable the paste functionality.

Content and Formatting

• Only plain text can be pasted from your local computer.

• If you copy formatted text (for example, from a website or document), you can paste the text, but all formatting is lost.

• If you copy an image or file, nothing is pasted into the remote session.

Clipboard Synchronization

The remote clipboard inside the remote browser is overwritten by your local clipboard's content when you switch focus from any other tab or application on your local computer back to the tab running the Isolated Browsing httpsApp Web Application.

• This synchronization happens only if the content in your local clipboard fits within the configured paste size limit.

• If the content in your local clipboard exceeds the paste limit, the remote clipboard is not affected, and its previous content is preserved.

Key Bindings

Because the remote browser runs in a Linux environment, httpsApp Web Applications behave as if interacting with a Linux end user and accept Linux key bindings.

Windows users should see minimal differences. On macOS, most key bindings can be converted to the Linux ones by using the control key (^) instead of the command key (⌘).

For example, with macOS, this means you need to use Control + C instead of Command + C when copying selected text in the remote browser.

Key binding tips

• If you have difficulties entering the hashtag symbol # for comments in a notebook cell, use Control + / instead. On macOS with a British keyboard, use right-option 3 (the ⌥ key to the right of the spacebar, followed by 3).

• To navigate quickly within a DXJupyterLab cell in edit mode on macOS, use the Fn + Left-arrow, Fn + Right-arrow, Fn + Up-arrow, or Fn + Down-arrow key combinations.

• To zoom in or out, use Control + + or Control + - key combinations.