Skip to content

add Authorization to allowed CORS headers #1975

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 15, 2016
Merged

add Authorization to allowed CORS headers #1975

merged 1 commit into from
Dec 15, 2016

Conversation

minrk
Copy link
Member

@minrk minrk commented Dec 14, 2016

so that CORS requests can use token authentication in the Authorization header by default.

cf jupyterlab/jupyterlab#1416

@minrk
add Authorization to allowed CORS headers
a51efa5 
so that CORS requests can be token-authenticated
@takluyver
Copy link
Member

Restarted some JS tests (any idea if there's anything we can do to make these more reliable?)

I have little understanding of the significance of this, so I'll let people who hopefully do have a look.

@blink1073
Copy link
Contributor

I confirmed that this allows us to run the JupyterLab tests using Karma and tokens.

@blink1073
Copy link
Contributor

I prefer this solution over sending the token as a URL param in plain text, per https://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3.

@minrk
Copy link
Member Author

minrk commented Dec 14, 2016

Background:

CORS severely limits what you can do from one site to another. Prior to making a CORS request, browsers make an OPTIONS request, to ask the server what should be allowed. One of the things that is limited is setting headers on those requests. The server specifies which headers should be permitted with Access-Control-Allow-Headers.

Since part of the point of the token authorization is to make authenticated cross-origin access easier, we should allow the Authorization header to be included, which is what this PR does.

@minrk minrk mentioned this pull request Dec 14, 2016
Merged
@minrk minrk added this to the 4.3.1 milestone Dec 14, 2016
@minrk minrk merged commit 5f0d05c into jupyter:master Dec 15, 2016
@minrk minrk deleted the cors-auth-header branch December 15, 2016 09:19
@gnestor
Copy link
Contributor

gnestor commented Dec 16, 2016

@minrk Does this need to be backported for 4.3.1?

@blink1073
Copy link
Contributor

Yes, please, we are waiting for this in JupyterLab.

minrk added a commit that referenced this pull request Dec 20, 2016
@minrk
Backport PR #1975: add Authorization to allowed CORS headers
6ada253 
so that CORS requests can use token authentication in the Authorization header by default.

cf jupyterlab/jupyterlab#1416

Signed-off-by: Min RK <benjaminrk@gmail.com>
@gnestor
Copy link
Contributor

gnestor commented Dec 20, 2016

Backported! Thanks @minrk.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 10, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@rgbkrk rgbkrk rgbkrk approved these changes

Assignees

No one assigned

Labels

status:resolved-locked

Projects

None yet

Milestone

4.3.1

Development

Successfully merging this pull request may close these issues.

5 participants

@minrk @takluyver @blink1073 @gnestor @rgbkrk