Skip to content

avoid modifying settings['headers'] in add_default_headers #2671

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 20, 2017
Merged

avoid modifying settings['headers'] in add_default_headers #2671

merged 2 commits into from
Jul 20, 2017

Conversation

minrk
Copy link
Member

@minrk minrk commented Jul 20, 2017

Use a copy to avoid writing content security policy into settings['headers'], which can be a problem because APIHandlers have a stricter CSP than page handlers, adding default-src: 'none'.

If an API request is made before the first page request, pages would fail to load due to CSP violations because the API CSP would be saved in settings['headers'] and used for all subsequent requests.

cc @tkinz27 @kalvinnchau who reported this on Gitter

minrk added 2 commits July 20, 2017 10:43
@minrk
avoid modifying settings['headers'] in add_default_headers
fb7ee6f 
Use a copy to avoid writing content security policy into settings['headers'],
which can be a problem because APIHandlers have a stricter CSP than page handlers.

If an API request is made before the first page request, pages will fail to load due to CSP violations.
@minrk
allow overriding csp report uri via tornado settings
f512880
@takluyver takluyver added this to the 5.1 milestone Jul 20, 2017
@takluyver
Copy link
Member

Seems straightforward, thanks.

@takluyver takluyver merged commit 227704c into jupyter:master Jul 20, 2017
@minrk minrk deleted the dont-modify-headers branch July 20, 2017 10:45
@minrk minrk mentioned this pull request Jul 20, 2017
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 6, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

status:resolved-locked

Projects

None yet

Milestone

5.1

Development

Successfully merging this pull request may close these issues.

2 participants

@minrk @takluyver