Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add x-xsrftoken to Access-Control-Allow-Headers #2876

Merged
merged 1 commit into from Sep 30, 2017

Conversation

Projects
None yet
4 participants
@SamLau95
Copy link
Contributor

SamLau95 commented Sep 28, 2017

When starting a kernel using the Jupyter Notebook Kernel API, web
browsers will automatically check for the presence of x-xsrftoken in
the Access-Control-Allow-Headers during the preflight CORS check
(ref).

Since we didn't allow this header before, web browsers would fail the
preflight check even when the x-xsrftoken header isn't being used by the
notebook server.

This meant that running a webpage on localhost:8080 that used Javascript
to start a kernel on a notebook server running on localhost:8888 would
fail.

How I tested this commit:

  1. Start a notebook server using

     jupyter notebook --no-browser --NotebookApp.allow_origin="*" --NotebookApp.disable_check_xsrf=True --NotebookApp.token=''
    
  2. Build the web3 example from ipywidgets.

  3. In that directory, run npm run host.

  4. Verify that visiting http://localhost:8080/ starts a kernel in the notebook server.

Add x-xsrftoken to Access-Control-Allow-Headers
When starting a kernel using the Jupyter Notebook Kernel API, web
browsers will automatically check for the presence of `x-xsrftoken` in
the Access-Control-Allow-Headers during the preflight CORS check
([ref][ref]).

[ref]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers

Since we didn't allow this header before, web browsers would fail the
preflight check even when the x-xsrftoken header isn't being used by the
notebook server.

This meant that running a webpage on localhost:8080 that used Javascript
to start a kernel on a notebook server running on localhost:8888 would
fail.

How I tested this commit:

1. Start a notebook server using

		jupyter notebook --no-browser --NotebookApp.allow_origin="*" --NotebookApp.disable_check_xsrf=True --NotebookApp.token=''

2. Build the [web3](https://github.com/jupyter-widgets/ipywidgets/tree/master/examples/web3) example from ipywidgets.
3. In that directory, run `npm run host`.
4. Verify that visiting http://localhost:8080/ starts a kernel in the notebook server.
@rgbkrk

rgbkrk approved these changes Sep 30, 2017

@rgbkrk

This comment has been minimized.

Copy link
Member

rgbkrk commented Sep 30, 2017

This seems like the right choice for the default, thanks.

@rgbkrk rgbkrk merged commit 1cdb411 into jupyter:master Sep 30, 2017

4 checks passed

codecov/patch 0% of diff hit (target 0%)
Details
codecov/project 79.24% remains the same compared to b884ff9
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@yuvipanda

This comment has been minimized.

Copy link
Contributor

yuvipanda commented Oct 9, 2017

Do folks think we can make a point release with this?

@rgbkrk

This comment has been minimized.

Copy link
Member

rgbkrk commented Oct 9, 2017

We're waiting on #2203 according to @gnestor, then this should go out.

@gnestor

This comment has been minimized.

Copy link
Contributor

gnestor commented Oct 9, 2017

@rgbkrk Care to review? #2911

@gnestor gnestor added this to the 5.2 milestone Oct 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.