JupyterHub cross origin requests

[DonJayamanne]

Bug description

I'm one of the engineers working on VS Code, we have started working on adding an extension that allows users to connect to JupyterHub from within VS Code (but VS Code running in the browser).
This is the extension https://marketplace.visualstudio.com/items?itemName=ms-toolsai.jupyter-hub

We are running into CORS issues, I have checked this issue #1087 and still unable to get things working.

Any help in this space would be appreciated. thanks

How to reproduce

1. Sping up a web application
2. Attempt to make an http request to JupyterHub running on a different domain
3. Requet fails with a CORS error
4. The request sent is https://...-8000.app.github.dev/hub/api/users/codespace
5. and the header is Authorization: token <token>
6. No other headers are sent.

Here's the error we get in the browser

Access to fetch at 'https://...-8000.app.github.dev/' from origin 'https://v--....vscode-cdn.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

& here preflight response

Access-Control-Allow-Headers: accept, content-type, authorization
Cache-Control: no-cache,no-store
Content-Length:0
Content-Security-Policy: frame-ancestors 'self'; report-uri /hub/security/csp-report; default-src 'none'

Expected behaviour

Request should succeed.

Actual behaviour

Fails with a CORS error

#1087 (comment)
Only token-authenticated requests can be made cross-origin.

Based on the above comment I assumed that making a request with Auth tokens is allows, but that does not seem to be the case. Unless of course i have misunderstood or not setup something correctly.

Your personal set up

• OS:ubuntu 20.04

• Version(s): jupyterhub 4.0.2, python 3.10.8

Full environment

alembic==1.12.0
anyio==4.0.0
argon2-cffi==23.1.0
argon2-cffi-bindings==21.2.0
arrow==1.2.3
asttokens==2.4.0
async-generator==1.10
async-lru==2.0.4
attrs==23.1.0
Babel==2.12.1
backcall==0.2.0
beautifulsoup4==4.12.2
bleach==6.0.0
certifi==2023.7.22
certipy==0.1.3
cffi==1.15.1
charset-normalizer==3.2.0
comm==0.1.4
cryptography==41.0.4
debugpy==1.8.0
decorator==5.1.1
defusedxml==0.7.1
exceptiongroup==1.1.3
executing==1.2.0
fastjsonschema==2.18.0
fqdn==1.5.1
greenlet==2.0.2
idna==3.4
ipykernel==6.25.2
ipython==8.15.0
isoduration==20.11.0
jedi==0.19.0
Jinja2==3.1.2
json5==0.9.14
jsonpointer==2.4
jsonschema==4.19.1
jsonschema-specifications==2023.7.1
jupyter-events==0.7.0
jupyter-lsp==2.2.0
jupyter-telemetry==0.1.0
jupyter_client==8.3.1
jupyter_core==5.3.2
jupyter_server==2.7.3
jupyter_server_terminals==0.4.4
jupyterhub==4.0.2
jupyterlab==4.0.6
jupyterlab-pygments==0.2.2
jupyterlab_server==2.25.0
Mako==1.2.4
MarkupSafe==2.1.3
matplotlib-inline==0.1.6
mistune==3.0.1
nbclient==0.8.0
nbconvert==7.8.0
nbformat==5.9.2
nest-asyncio==1.5.8
notebook_shim==0.2.3
oauthlib==3.2.2
overrides==7.4.0
packaging==23.1
pamela==1.1.0
pandocfilters==1.5.0
parso==0.8.3
pexpect==4.8.0
pickleshare==0.7.5
platformdirs==3.10.0
prometheus-client==0.17.1
prompt-toolkit==3.0.39
psutil==5.9.5
ptyprocess==0.7.0
pure-eval==0.2.2
pycparser==2.21
Pygments==2.16.1
pyOpenSSL==23.2.0
python-dateutil==2.8.2
python-json-logger==2.0.7
PyYAML==6.0.1
pyzmq==25.1.1
referencing==0.30.2
requests==2.31.0
rfc3339-validator==0.1.4
rfc3986-validator==0.1.1
rpds-py==0.10.3
ruamel.yaml==0.17.32
ruamel.yaml.clib==0.2.7
Send2Trash==1.8.2
six==1.16.0
sniffio==1.3.0
soupsieve==2.5
SQLAlchemy==2.0.21
stack-data==0.6.2
terminado==0.17.1
tinycss2==1.2.1
tomli==2.0.1
tornado==6.3.3
traitlets==5.10.1
typing_extensions==4.8.0
uri-template==1.3.0
urllib3==2.0.5
wcwidth==0.2.6
webcolors==1.13
webencodings==0.5.1
websocket-client==1.6.3

Configuration

# jupyterhub_config.py

# Configuration file for jupyterhub.

c = get_config()  #noqa
c.JupyterHub.authenticator_class = 'jupyterhub.auth.DummyAuthenticator'
# c.JupyterHub.authenticator_class = "dummy"
c.DummyAuthenticator.password = "pwd" # Feel free to change the default password
c.Spawner.args = ['--NotebookApp.allow_origin=*']
from jupyterhub.spawner import SimpleLocalProcessSpawner
c.JupyterHub.spawner_class = SimpleLocalProcessSpawner

Logs

[welcome]

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.

You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

[yuvipanda]

In your JupyterHub, did you set the config described in #1087 (comment)? IIRC you would still need to explicitly list the domains you want to allow requests from. You could set that to '*' to allow it from anywhere, but that's not the default. This assumes you are using tokens rather than OAuth for auth.

Also, I wrote a blog post many moons ago on how this can work from an installed VSCode (so no CORS issue) - https://blog.jupyter.org/connect-to-a-jupyterhub-from-visual-studio-code-ed7ed3a31bcb. Although I suspect your extension will be far more fully featured!!!

[DonJayamanne]

Oops, yes, sorry I missed that tornado setting.

I wrote a blog post many moons ago on how this can work from an installed VSCode (so no CORS issue) -

Yes, saw that some time ago, thanks a lot for that post.

Although I suspect your extension will be far more fully featured!!!

At thsi stage we're focusing on just connecting to JupyterHub (perhaps later we'll add more features)

Thanks again, closing as solved.