Merge pull request #2920 from minrk/allow-origin-token

allow token-authenticated requests cross-origin by default
jupyter · Oct 20, 2017 · 55aa80e · 55aa80e
2 parents 42d9667 + 08f7189
commit 55aa80e
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
@@ -287,6 +287,16 @@ def set_default_headers(self):
             origin = self.get_origin()
             if origin and self.allow_origin_pat.match(origin):
                 self.set_header("Access-Control-Allow-Origin", origin)
+        elif (
+            self.token_authenticated
+            and "Access-Control-Allow-Origin" not in
+                self.settings.get('headers', {})
+        ):
+            # allow token-authenticated requests cross-origin by default.
+            # only apply this exception if allow-origin has not been specified.
+            self.set_header('Access-Control-Allow-Origin',
+                self.request.headers.get('Origin', ''))
+
         if self.allow_credentials:
             self.set_header("Access-Control-Allow-Credentials", 'true')
 
@@ -523,6 +533,28 @@ def options(self, *args, **kwargs):
         self.set_header('Access-Control-Allow-Methods',
                         'GET, PUT, POST, PATCH, DELETE, OPTIONS')
 
+        # if authorization header is requested,
+        # that means the request is token-authenticated.
+        # avoid browser-side rejection of the preflight request.
+        # only allow this exception if allow_origin has not been specified
+        # and notebook authentication is enabled.
+        # If the token is not valid, the 'real' request will still be rejected.
+        requested_headers = self.request.headers.get('Access-Control-Request-Headers', '').split(',')
+        if requested_headers and any(
+            h.strip().lower() == 'authorization'
+            for h in requested_headers
+        ) and (
+            # FIXME: it would be even better to check specifically for token-auth,
+            # but there is currently no API for this.
+            self.login_available
+        ) and (
+            self.allow_origin
+            or self.allow_origin_pat
+            or 'Access-Control-Allow-Origin' in self.settings.get('headers', {})
+        ):
+            self.set_header('Access-Control-Allow-Origin',
+                self.request.headers.get('Origin', ''))
+
 
 class Template404(IPythonHandler):
     """Render our 404 template"""