Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow token-authenticated requests cross-origin by default #2920

Merged
merged 2 commits into from
Oct 20, 2017
Merged

allow token-authenticated requests cross-origin by default #2920

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9acf6a8
allow token-authenticated requests cross-origin by default
minrk Oct 10, 2017
08f7189
only allow CORS exception when auth is enabled
minrk Oct 11, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions notebook/base/handlers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,16 @@ def set_default_headers(self):
origin = self.get_origin()
if origin and self.allow_origin_pat.match(origin):
self.set_header("Access-Control-Allow-Origin", origin)
elif (
self.token_authenticated
and "Access-Control-Allow-Origin" not in
self.settings.get('headers', {})
):
# allow token-authenticated requests cross-origin by default.
# only apply this exception if allow-origin has not been specified.
self.set_header('Access-Control-Allow-Origin',
self.request.headers.get('Origin', ''))

if self.allow_credentials:
self.set_header("Access-Control-Allow-Credentials", 'true')

Expand Down Expand Up @@ -517,6 +527,28 @@ def options(self, *args, **kwargs):
self.set_header('Access-Control-Allow-Methods',
'GET, PUT, POST, PATCH, DELETE, OPTIONS')

# if authorization header is requested,
# that means the request is token-authenticated.
# avoid browser-side rejection of the preflight request.
# only allow this exception if allow_origin has not been specified
# and notebook authentication is enabled.
# If the token is not valid, the 'real' request will still be rejected.
requested_headers = self.request.headers.get('Access-Control-Request-Headers', '').split(',')
if requested_headers and any(
h.strip().lower() == 'authorization'
for h in requested_headers
) and (
# FIXME: it would be even better to check specifically for token-auth,
# but there is currently no API for this.
self.login_available
) and (
self.allow_origin
or self.allow_origin_pat
or 'Access-Control-Allow-Origin' in self.settings.get('headers', {})
):
self.set_header('Access-Control-Allow-Origin',
self.request.headers.get('Origin', ''))


class Template404(IPythonHandler):
"""Render our 404 template"""
Expand Down