-
-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Save and Export (nbconvert) generates 403 with error "'_xsrf' argument missing from GET". #16040
Comments
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗 |
@mikedarcy Thank you for opening this issue! Could you please try upgrading JupyterHub to 4.1.1 or newer, and seeing whether this issue recurs? You can see an option to disable this check in the JupyterHub changelog: https://jupyterhub.readthedocs.io/en/stable/reference/changelog.html#id3 (thanks @krassowski ) |
Thanks for looking into this. I have upgraded JupyterHub to
I added
But unfortunately the
Questions: I am curious about the security implications of globally bypassing the XSRF checks just for "Save and Export" which I thought was core "out-of-the-box" functionality. Wouldn't it be safer to have it enabled and just fix the Anyway, as I mentioned I am new to JupyterLab/JupyterHub and may not fully understand some of the technical subtleties at work here. Thanks for the support! |
Adding |
Thanks @yelban, I can confirm that this config line does work for me. Yet I am still concerned about having to disable XSRF checking to have this standard feature function properly. As a temporary workaround, it is not a problem. However. this seems like a bug to me, since if the |
It would be reasonable to include |
Can folks confirm that JupyterHub 4.1.4 fixed the issue? |
@krassowski confirming that |
@krassowski while |
@yelban and @krassowski I think I found the issue. After updating the k8s-hub image and helm chart to RUN pip install --force-reinstall --no-cache-dir \
jupyterhub==4.1.4 The lab docker image just needs to catch up. |
I can also confirm that |
I can also confirm that jupyterhub 4.1.4 fixes the issue. Thanks! @jrdnbradford Thank you for your guidance. I just discovered that everything is back to normal after updating to the quay.io/jupyter/minimal-notebook image that updated 18 hours ago. There is no need to disable '_xsrf' specifically, and there won't be any issues with exporting downloads. Cheers! The updated minimal-notebook image contains: |
Closing because this is fixed with JupyterHub 4.1.4. Thank you all for your contributions! |
Description
I've got JupyterLab 4.1.5 and JupyterHub 4.1.0 setup reverse proxied behind an Apache HTTPD. It has a
bindUrl
of'http://127.0.0.1:8000/jupyter/'
and everything is working as expected, except forSave and Export
which always returns a 403 with_xsrf' argument missing from GET
. The nbconvert URL indeed does not have the_xsrf
parameter present e.g.:Reproduce
Python 3.10.13 virtual env/Amazon Linux 2/Apache HTTPD
I am using an OAuthenticator but it also happens with PAM.
Output of
pip freeze
ssl.conf
relevant snippet:Expected behavior
In a previous 3.7.x setup, this all worked fine. From what I have learned, that is due to xsrf support not being present in that version. Anyway, I would expect this to work just like
Download
which does include the_xsrf
query parameter when you try to download the notebook.Incidentally, when I add the
_wsrf
parameter to the URL manually and GET it in my browser, it works:I looked at some of the Javascript in the console and I saw something like this for
getDownloadURL
:But, I did not see anything like that for
getNBConvertURL
:I'm pretty new to JupyterHub so I don't know if this is all intended and works in some way I don't understand or is it more obvious like the difference in the two functions above.
Context
The text was updated successfully, but these errors were encountered: