Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add x-xsrftoken to Access-Control-Allow-Headers #2876

Merged
merged 1 commit into from Sep 30, 2017
Merged

Conversation

@SamLau95
Copy link
Contributor

@SamLau95 SamLau95 commented Sep 28, 2017

When starting a kernel using the Jupyter Notebook Kernel API, web
browsers will automatically check for the presence of x-xsrftoken in
the Access-Control-Allow-Headers during the preflight CORS check
(ref).

Since we didn't allow this header before, web browsers would fail the
preflight check even when the x-xsrftoken header isn't being used by the
notebook server.

This meant that running a webpage on localhost:8080 that used Javascript
to start a kernel on a notebook server running on localhost:8888 would
fail.

How I tested this commit:

  1. Start a notebook server using

     jupyter notebook --no-browser --NotebookApp.allow_origin="*" --NotebookApp.disable_check_xsrf=True --NotebookApp.token=''
    
  2. Build the web3 example from ipywidgets.

  3. In that directory, run npm run host.

  4. Verify that visiting http://localhost:8080/ starts a kernel in the notebook server.

When starting a kernel using the Jupyter Notebook Kernel API, web
browsers will automatically check for the presence of `x-xsrftoken` in
the Access-Control-Allow-Headers during the preflight CORS check
([ref][ref]).

[ref]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers

Since we didn't allow this header before, web browsers would fail the
preflight check even when the x-xsrftoken header isn't being used by the
notebook server.

This meant that running a webpage on localhost:8080 that used Javascript
to start a kernel on a notebook server running on localhost:8888 would
fail.

How I tested this commit:

1. Start a notebook server using

		jupyter notebook --no-browser --NotebookApp.allow_origin="*" --NotebookApp.disable_check_xsrf=True --NotebookApp.token=''

2. Build the [web3](https://github.com/jupyter-widgets/ipywidgets/tree/master/examples/web3) example from ipywidgets.
3. In that directory, run `npm run host`.
4. Verify that visiting http://localhost:8080/ starts a kernel in the notebook server.
rgbkrk
rgbkrk approved these changes Sep 30, 2017
@rgbkrk
Copy link
Member

@rgbkrk rgbkrk commented Sep 30, 2017

This seems like the right choice for the default, thanks.

Loading

@rgbkrk rgbkrk merged commit 1cdb411 into jupyter:master Sep 30, 2017
4 checks passed
Loading
@yuvipanda
Copy link
Contributor

@yuvipanda yuvipanda commented Oct 9, 2017

Do folks think we can make a point release with this?

Loading

@rgbkrk
Copy link
Member

@rgbkrk rgbkrk commented Oct 9, 2017

We're waiting on #2203 according to @gnestor, then this should go out.

Loading

@gnestor
Copy link
Contributor

@gnestor gnestor commented Oct 9, 2017

@rgbkrk Care to review? #2911

Loading

@gnestor gnestor added this to the 5.2 milestone Oct 13, 2017
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 5, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants