Introduction/summary
I was surprised by the (from my point of view limited) extent to which the user is defended against "potentially unsafe dynamic content" by default. Two things were unexpected to me: 1) a warning is not always triggered if dynamic content is present , and 2) all dynamic content in a notebook will be evaluated when evaluating any cell in that notebook.
The tests I did are first listed below. The question is how we can modify options to let the behaviour correspond to my expectations. Along the way I found an option ("TrustByDefault") that can deal with one of the concerns, so I have provided an answer to my own question.
This option was not exactly hidden, as it was mentioned in the docs under tutorial/NotebookSecurity, which is excellent. The main value I see in posting this now is to warn users like me who like to skim pages like tutorial/NotebookSecurity and later draw their own conclusions about options like "Dynamic Updating Enabled". Further I provide some code which may help with "seeing things for yourself". Lastly, I feel a warning about the Cell/Notebook option CellEvalaluationFunction was overdue.
Paraphrasing of relevant parts of /tutorial/NotebookSecurity
Mathematica can warn you about dynamic content, but it does not always do so. If the warning is displayed, dynamic content is also not get evaluated (evaluation can be triggered in an unexpected way though! Details further below). The warning looks like this.
Notebooks on a "TrustedPath" will never trigger the warning. Notebooks on an "Untrusted path" will always trigger the warning. For Notebooks on paths that are neither safe or unsafe in this sense, whether or not the warning will appear will depend on what functions/symbols appear in the Dynamic content.
The paths that are not trusted on your system can be found by executing this code
Column[ToFileName /@
CurrentValue[$FrontEnd, {"NotebookSecurityOptions",
"UntrustedPath"}]]
replace "UntrustedPath" by "TrustedPath" in the above to see which directories are trusted.
Testing
A little way below is a procedure to generate notebooks with dynamic content and then opening them. It requires you to input a path (name of a directory). The result will depend on what path you specify and on the notebook you choose (with or without potentially dangerous functions).
As mentioned, for some notebooks/paths the dynamic content will be evaluated right away. I think this does not depend on whether you generated the file yourself or whether it was sent to you. No mention of such a distinction is made in tutorial/NotebookSecurity.
For me, if I put a notebook with dynamic content without dangerous functions in my user directory, dynamic content gets evaluated right away. This was unexpected to me, especially because I did not realise that immediate evaluation of dynamic content depended on the functions that appear in it. I now find the design intuitive in a way, but I think there is a serious design flaw here. So much so that I think talking about it here further may do more harm than good.
Code to see how the warning works
As promised, here is the code to generate and open notebooks.
Warning: I will not tell you not to trust me, but code containing functions that I use below could be very dangerous. In general I would advise you not to evaluate such code, unless you understand or trust it.
path = (*enter the path where you want to store the notebook here*);
fileName = (*enter example: file.nb*);
Block[{fullFileName = FileNameJoin[{path, fileName}]}
,
If[
! FileExistsQ[fullFileName]
,
Put[
Notebook[
{
Cell[
BoxData@MakeBoxes@
Dynamic[If[! NumberQ[x], x = 0];
StringForm["x is now ``", x++]], "Output"]
,
Cell[BoxData@MakeBoxes["evaluate this";], "Input",
CellTags -> "eval"]
}
,
DynamicUpdating -> True
]
, fullFileName
];
NotebookOpen@fullFileName;
NotebookLocate["eval"]
,
Print["file already exists!"]
]
]
Even if you put the file on an "UntrustedPath", you still have to be very careful. The unexpected thing to me here is that if you evaluate any regular Cell in the notebook, even one that you made yourself, the dynamic content gets evaluated. Even though you did not press the button "Enable Dynamics". You can test this out by simply evaluating the Cell saying "evaluate this" that I have included.
CellEvaluationFunction
Now, it is a very bad idea anyway to evaluate a cell in a notebook you do not trust, especially because of the option CellEvaluationFunction. CellEvaluationFunction is both an option for Cell and for Notebook and can make cells evaluate in ways you do not expect. Code can not be visible and basically any code can be evaluated against your will this way, provided you evaluate a Cell in this notebook.
But still the behaviour that evaluating any cell also causes the dynamic content to be evaluated is unexpected to me and therefore I would (have) like(d) to have some protection against it.
Options for additional protection
Options that do not work
I was looking to see if you could make some additional protection against this unwanted evaluation. In particular the option from the evaluation menu "Dynamic Content Enabled", as well as the front end option DynamicUpdating, which is the same as the option DynamicUpdating in the option inspector under Cell Options > Evaluation Options, seem to have no effect. The Notebook option DynamicUpdating only seems to apply to a particular Notebook, so that does not help either.
I think all the front end option DynamicUpdating is, is the default value of the Notebook option DynamicUpdating for newly created notebooks. This does not include notebooks that already existed and were simply opened. The menu option "Dynamic Content Enabled" from the evaluation menu is not a global setting. It can be different for different notebooks. In particular, when I open the .nb file from an "UntrustedPath", there is a check in front of "Dynamic Updating Enabled", even when there was not one before.
Questions
The question here is: Are there any additional means to protect ourselves against dynamic evaluation?
