CORS is not enabled for BinderHub API #177
Comments
|
Now that tokens are enabled, we no longer need to relax CORS restrictions. When you access a notebook server via Binder, a token will be given to you, and that should be used to authenticate requests. Token-authenticated requests are not affected by CORS restrictions. Here is a Python example extending the binder-api example in this repo that requests a kernel and runs code using the token without any relaxation of CORS restrictions. I'd love to have a javascript example that does the same thing using the JupyterLab js. |
|
Having done some browser testing, I think I've misunderstood some of how browsers implement CORS. Using tokens bypasses the server-side CORS check, which allows scripted access to the resources. However, it doesn't bypass the origin checking that happens in the browser. I've opened jupyter/notebook#2920 to make default notebook server behavior what I thought it already was. #180 should restore CORS access in general on Binder, but only for authenticated requests, as it should be. |
|
It looks like #180 restores CORS access to the notebook server, but from what I understand there are two steps in starting kernels using the BinderHub API:
Correct me if I'm wrong, but it looks like #180 allows CORS for 2. while we still need to allow CORS for 1. |
|
@SamLau95 you are 100% correct |
|
#182 enables CORS on BinderHub itself, with some questions about how exactly we should be doing it. |
|
@SamLau95 CORS should be deployed to beta.mybinder.org now. |
|
Thanks @minrk!
…On Mon, Oct 16, 2017 at 5:13 AM Min RK ***@***.***> wrote:
@SamLau95 <https://github.com/samlau95> CORS should be deployed to
beta.mybinder.org now.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#177 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACWsKAGw06h6Ybwf4lGjNvqvg6eMxJSPks5ss0hagaJpZM4PyFzd>
.
|
I'd like to use BinderHub's API to start kernels from another webpage.
When trying to start a notebook server using the BinderHub API, the browser will error because the Access-Control-Allow-Origin HTTP header is missing.
I believe this should be a simple implementation of
set_default_headersin thebase.py:BaseHandlerclass but I'm still trying to get binderhub set up locally so I can't test it myself.In addition, the current release of
notebook(5.1.0) is missing a header that allows starting kernels from another domain. I fixed it in jupyter/notebook#2876 but is there something we can do to get the fix in for the current deployment of Binder?Happy to talk more about this (in person works too).
Related to #13.
The text was updated successfully, but these errors were encountered: