Overview

Historically, DNAnexus applications have been used for batch executions and pipeline processing. Cloud Workstation is an example of an interactive use case for a DNAnexus worker and job, but it is accessible only via SSH configured for a single user.

DNAnexus jobs can be accessed interactively via a browser at https://job-xxxx.dnanexus.cloud via an HTTPS proxy which handles the necessary authentication. This allows a user to host an unencrypted web app within a job and rely on the platform to provide access and security.

Quickstart

This application illustrates how to add httpsApp to your dxapp.json and run a hello-world web server with Docker. Listening on port 443 externally is the worker's HTTPS proxy, which authenticates the user with DNAnexus and generates a session for the browser.

After the job has been assigned and transitioned to the running state, the URL https://job-xxxx.dnanexus.cloud is created. This URL is accessible once it has propagated to your DNS server (generally within 60 seconds). Below is the source code for an applet running a web server on port 443.

src/hello-world-webapp.sh

dxapp.json

To make the applet an HTTPS enabled, a new field httpsApp is required in the of the applet. This field requires ports and shared_access keys. ports is an array of integers with 443, 8080, and 8081 as allowed values. shared_access is a string, with VIEW, CONTRIBUTE, ADMINISTER, or NONE as possible values. This value restricts access to users with at least the specified access to the project in which the job executes, or to only the launching user if

Ubuntu 24.04 is recommended and has native support for docker. Outbound network access is enabled to pull the image from DockerHub.

Running and Accessing the Job

1. Build the applet

2. Run applet

3. Wait until job is running and get URL

4. Navigate to https://job-xxxx.dnanexus.cloud

Use Cases

• Interactive tools for exploring data

Notes and Issues

• Accessing the URL for the first time redirects the browser to the DNAnexus login page for authentication, the browser then redirects back to the web application

• Sessions expire after 15 minutes of inactivity (defined as any HTTP request sent through the proxy), redirecting the user back to the DNAnexus login page

• It is possible to access the job via the HTTPS proxy before the application inside the job is ready to serve requests. This results in the 502 Bad Gateway error. This happens because the application may have not finished setting up dependencies and is not running yet. It could also be configured to listen on an incorrect port.

What is Isolated Browsing?

Isolated Browsing is a project-level security feature that restricts data transfer between HTTPS apps and the user's local computer. It prevents direct communication between the httpsApp Web Application and the user's local web browser.

Isolated Browsing applies to all httpsApp-enabled jobs in the project, such as jobs running DXJupyterLab, ttyd, LocusZoom, or any other httpsApp-enabled app or applet.

Enable Isolated Browsing

To enable Isolated Browsing in a project you have ADMIN access to:

1. Ensure the project's billTo has the httpsAppIsolatedBrowsingControl license.

2. Set the project's httpsAppIsolatedBrowsing flag to true.

You can set the project's data access control flags using the DNAnexus CLI.

You can also use the CLI to check whether the httpsAppIsolatedBrowsing flag is set.

How Isolated Browsing Works

Isolated Browsing adds an extra layer to interacting with HTTPS apps. It restricts data transfers between your computer and all httpsApp Web Applications exposed by a job.

Instead of your local web browser directly interacting with the httpsApp Web Application, a separate remote browser handles this communication. Your local browser receives visual updates (screen encodings) from the remote browser, and your actions (keyboard and mouse input) are sent to the remote browser, which then forwards them to the application.

The remote browser starts in full screen mode, focusing user's attention on the job's httpsApp Web Application, such as JupyterLab interface. This hides the remote browser's navigation elements from view.

You can exit the remote browser's full screen mode by hovering your mouse pointer near the top of the window and selecting the floating "X" that appears.

When you exit the full screen mode, you can see the tabs opened in the remote browser. You can also open another remote browser tab to visit another httpsApp application on a different httpsApp port.

For example, to see DXJupyterLab's Spark UI interface, visit http://job:8081/ in the remote browser's navigation bar after executing Spark code.

To re-enter the full screen mode, click the vertical three-dot menu in the remote browser's top right corner, and then in the Zoom menu item, click the rectangle-corners icon. You can also use the Zoom controls to enlarge or reduce the size of your app.

If you close the remote browser window, the remote browser is automatically restarted.

To minimize the risk of unauthorized data transfers, the remote browser is configured to disallow accessing sites other than the httpsApp Web Applications, opening and saving of remote desktop files, installation of Chrome extensions, and accessing the remote browser's DevTools.

Data Transfer Restrictions Enforced by Isolated Browsing

Data transfers over the httpsApp interface between your local computer and the job via APIs exposed by an httpsApp Web Application are disabled.

For example, with Isolated Browsing, you cannot perform the following actions via httpApp interface against a job running DXJupyterLab:

• Download a file to your local computer from the job, or save a Jupyter notebook to your local computer.

• Upload a file from your local computer to the job.

• Invoke JupyterLab API requests using cURL against an httpsApp endpoint of the job.

• Observe JSON and text information transferred between your local computer and the DXJupyterLab web application in the developer console of your local web browser.

Copy and Paste Restrictions Enforced by Isolated Browsing

Isolated Browsing restricts clipboard operations (copy and paste) between your local computer and the remote browser to prevent data exfiltration.

• Copying from remote browser to local computer is disabled. You cannot copy text or other data from the httpsApp Web Application and paste it into an application on your local computer.

• Pasting from local computer to remote browser is limited. You can copy text from your local computer and paste it into the httpsApp Web Application, subject to a size limit configured by a project administrator. If the limit is set to 0, pasting is disabled.

• Copying and pasting within the remote browser is allowed. Copying and pasting text entirely within the remote browser (for example, from one JupyterLab notebook cell to another) is permitted without restriction.

Isolated Browsing doesn't prevent you from taking screenshots or photographs of the httpsApp Web Application interface.

Configuring the Paste Limit

A project administrator can set the maximum number of bytes allowed for pasting from the local clipboard to the remote browser by using the and setting the httpsAppIsolatedBrowsingOptions field.

The value for pasteFromLocalClipboardMaxBytes must be between 0 and 262,144 bytes, where 0 disables paste entirely.

Paste Behavior and Limitations

When pasting from your local computer into a remote browser, be aware of the following behaviors and limitations:

Browser Support and Permissions

• Supported Browsers: The paste functionality works on local Chrome, Chromium, and Microsoft Edge browsers. It does not work on Firefox or Safari.

• Required Permissions: Your local browser displays a dialog asking you to allow the site to "See Text and images copied to the clipboard". You must click "Allow" to enable the paste functionality.

Content and Formatting

• Only plain text can be pasted from your local computer.

• If you copy formatted text (for example, from a website or document), you can paste the text, but all formatting is lost.

• If you copy an image or file, nothing is pasted into the remote session.

Clipboard Synchronization

The remote clipboard inside the remote browser is overwritten by your local clipboard's content when you switch focus from any other tab or application on your local computer back to the tab running the Isolated Browsing httpsApp Web Application.

• This synchronization happens only if the content in your local clipboard fits within the configured paste size limit.

• If the content in your local clipboard exceeds the paste limit, the remote clipboard is not affected, and its previous content is preserved.

Key Bindings

Because the remote browser runs in a Linux environment, httpsApp Web Applications behave as if interacting with a Linux end user and accept Linux key bindings.

Windows users should see minimal differences. On macOS, most key bindings can be converted to the Linux ones by using the control key (^) instead of the command key (⌘).

For example, with macOS, this means you need to use Control + C instead of Command + C when copying selected text in the remote browser.

Key binding tips

• If you have difficulties entering the hashtag symbol # for comments in a notebook cell, use Control + / instead. On macOS with a British keyboard, use right-option 3 (the ⌥ key to the right of the spacebar, followed by 3).

• To navigate quickly within a DXJupyterLab cell in edit mode on macOS, use the Fn + Left-arrow, Fn + Right-arrow, Fn + Up-arrow, or Fn