only allow CORS exception when auth is enabled

jupyter · Oct 11, 2017 · 08f7189 · 08f7189
1 parent 9acf6a8
commit 08f7189
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
@@ -530,11 +530,17 @@ def options(self, *args, **kwargs):
         # if authorization header is requested,
         # that means the request is token-authenticated.
         # avoid browser-side rejection of the preflight request.
-        # only allow this exception if allow_origin has not been specified.
+        # only allow this exception if allow_origin has not been specified
+        # and notebook authentication is enabled.
+        # If the token is not valid, the 'real' request will still be rejected.
         requested_headers = self.request.headers.get('Access-Control-Request-Headers', '').split(',')
         if requested_headers and any(
             h.strip().lower() == 'authorization'
             for h in requested_headers
+        ) and (
+            # FIXME: it would be even better to check specifically for token-auth,
+            # but there is currently no API for this.
+            self.login_available
         ) and (
             self.allow_origin
             or self.allow_origin_pat