Isolated Browsing for HTTPS Apps

Restrict data transfer between HTTPS apps and the user's local computer.

What is Isolated Browsing?

Isolated Browsing is a project-level security feature that restricts data transfer between HTTPS apps and the user's local computer. It prevents direct communication between the httpsApp Web Application and the user's local web browser.

Isolated Browsing applies to all httpsApp-enabled jobs in the project, such as jobs running DXJupyterLab, ttyd, LocusZoom, or any other httpsApp-enabled app or applet.

Isolated Browsing is a limited-access feature requiring a separate license. Contact DNAnexus Sales for more information.

Enable Isolated Browsing

To enable Isolated Browsing in a project you have ADMIN access to:

Ensure the project's billTo has the httpsAppIsolatedBrowsingControl license.
Set the project's httpsAppIsolatedBrowsing data access control flag to true.

You can set the project's data access control flags using the DNAnexus CLI.

# As a project admin, set a project's 'httpsAppIsolatedBrowsing' flag to 'true' 
dx api project-xxxx update '{"httpsAppIsolatedBrowsing":true}'

You can also use the CLI to check whether the httpsAppIsolatedBrowsing flag is set.

# Show a project's 'httpsAppIsolatedBrowsing' flag
dx describe project-xxxx
# Show a job's 'httpsApps.isolatedBrowsing' flag
dx describe job-xxxx

To run apps and applets in projects with Isolated Browsing enabled, the httpsApp-enabled executables must have httpsApp.shared_access set to NONE.

How Isolated Browsing Works

Isolated Browsing adds an extra layer to interacting with HTTPS apps. It restricts data transfers between your computer and all httpsApp Web Applications exposed by a job.

Instead of your local web browser directly interacting with the httpsApp Web Application, a separate remote browser handles this communication. Your local browser receives visual updates (screen encodings) from the remote browser, and your actions (keyboard and mouse input) are sent to the remote browser, which then forwards them to the application.

The remote browser starts in full screen mode, focusing user's attention on the job's httpsApp Web Application, such as JupyterLab interface. This hides the remote browser's navigation elements from view.

You can exit the remote browser's full screen mode by hovering your mouse pointer near the top of the window and selecting the floating "X" that appears.

When you exit the full screen mode, you can see the tabs currently opened in the remote browser. You can also open another remote browser tab to visit another httpsApp application on a different httpsApp port.

For example, to see DXJupyterLab's Spark UI interface, visit http://job:8081/ in the remote browser's navigation bar after executing Spark code.

To re-enter the full screen mode, click the vertical three-dot menu in the remote browser's top right corner, and then in the Zoom menu item, click the rectangle-corners icon. You can also use the Zoom controls to enlarge or reduce the size of your app.

If you close the remote browser window, the remote browser will be automatically restarted.

To minimize the risk of unauthorized data transfers, the remote browser is configured to disallow accessing sites other than the httpsApp Web Applications, opening and saving of remote desktop files, installation of Chrome extensions, and accessing the remote browser's DevTools.

Data Transfer Restrictions Enforced by Isolated Browsing

Restrictions on data transfers between the job and your computer

Data transfers over the httpsApp interface between your local computer and the job via APIs exposed by an httpsApp Web Application are disabled.

For example, with Isolated Browsing, you cannot perform the following actions via httpApp interface against a job running DXJupyterLab:

Download a file to your local computer from the job, or save a Jupyter notebook to your local computer.
Upload a file from your local computer to the job.
Invoke JupyterLab API requests using cURL against an httpsApp endpoint of the job.
Observe JSON and text information transferred between your local computer and the DXJupyterLab web application in the developer console of your local web browser.

Restrictions on copy and paste operations

Copy and paste of information between your browser and the job is disabled. However, copying and pasting within the isolated job is permitted.

For example, with Isolated Browsing, you cannot perform the following copy and paste actions:

Copying text from a window on your local computer, then pasting the copied text into httpsApp Web Application.
Copying text from an httpsApp Web Application, then pasting the copied text into a window on your local computer.

Isolated Browsing doesn't prevent you from taking screenshots or photographs of the httpsApp Web Application interface.

Key Bindings

Because the remote browser runs in a Linux environment, httpsApp Web Applications behave as if interacting with a Linux end user and accept Linux key bindings.

Windows users should see minimal differences. On macOS, most key bindings can be converted to the Linux ones by using the control key (^) instead of the command key (⌘).

For example, with macOS, this means you need to use Control + C instead of Command + C when copying selected text in the remote browser.

Key binding tips

If you have difficulties entering the hashtag symbol # for comments in a notebook cell, use Control + / instead. On macOS with a British keyboard, use right-option 3 (the ⌥ key to the right of the spacebar, followed by 3).
To navigate quickly within a DXJupyterLab cell in edit mode on macOS, use the Fn + Left-arrow, Fn + Right-arrow, Fn + Up-arrow, or Fn + Down-arrow key combinations.
To zoom in or out, use Control + + or Control + - key combinations.

Last updated 7 days ago

Was this helpful?