New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Describe problems and solutions involving CSP headers #3883

Merged
merged 1 commit into from Sep 13, 2018

Conversation

Projects
None yet
2 participants
@moble
Contributor

moble commented Aug 27, 2018

This PR just adds a section to the documentation describing problems and solutions to serving jupyter from a public server that uses the Content-Security-Policy (CSP) header.

I ran into these problems using the latest docker container jupyter/scipy-notebook to serve from a subdirectory on an existing webserver. I used a setup essentially like the one described in the docs. I was able to access Jupyter through both the notebook interface and the jupyterlab interface, and the pages basically seemed to be working, in the sense that I could see menus and file listings, and so on.

However, actual connections to the kernel weren't working. For example, when I opened a new notebook, the kernel wouldn't start and I'd get the usual "Connection failed" message saying "A connection to the notebook server could not be established." Or in jupyterlab, everything would look fine, but when I'd try to execute a cell it would just hang. When I tried to open a terminal, nothing at all would happen; I wouldn't get a prompt or any message whatsoever. Looking at the javascript console, I saw lots of failed connections to WebSockets (which evidently go via the wss: scheme, or ws: if you're not encrypting), with messages saying that our Contect-Security-Policy (CSP) was blocking those requests.

Now, because we have lots of different web apps running, we try to follow basic security guidelines — specifically Mozilla's guidelines, which includes a recommendation to use a restrictive CSP. I believe the problem is that our CSP includes default-src https: 'unsafe-inline', and that means that wss: can't be used. My solution was to add

connect-src https: wss:

to the CSP, at least for the subdirectory where I'm serving jupyter. Now, everything's working great. (I also noticed that 'unsafe-inline' is definitely necessary, so I mention that in the docs.)

I had a harder time than I should have figuring that out (because I was looking for 404s, and forgot to check the console for a while), so I'm hoping this at least shows up in search engines for people like me who just searched for the problem first.

@minrk

This comment has been minimized.

Member

minrk commented Sep 13, 2018

Thanks!

@minrk minrk merged commit bee2c38 into jupyter:master Sep 13, 2018

4 checks passed

codecov/patch Coverage not affected when comparing 98085dc...88d5fc8
Details
codecov/project 73.75% (-0.3%) compared to 98085dc
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@minrk minrk added this to the 5.7 milestone Sep 13, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment