allow token-authenticated requests cross-origin by default

we already apply this logic in our server-side checks,
but browsers check `Access-Control-Allow-Origin` headers themselves as well,
meaning that token-authenticated requests can’t be made cross-origin without CORS headers from browsers,
only scripts.

This makes default browser and server-side origin checks consistent

notebook/base/handlers.py

@@ -281,6 +281,16 @@ def set_default_headers(self):
             origin = self.get_origin()
             if origin and self.allow_origin_pat.match(origin):
                 self.set_header("Access-Control-Allow-Origin", origin)
+        elif (
+            self.token_authenticated
+            and "Access-Control-Allow-Origin" not in
+                self.settings.get('headers', {})
+        ):
+            # allow token-authenticated requests cross-origin by default.
+            # only apply this exception if allow-origin has not been specified.
+            self.set_header('Access-Control-Allow-Origin',
+                self.request.headers.get('Origin', ''))
+
         if self.allow_credentials:
             self.set_header("Access-Control-Allow-Credentials", 'true')
 
@@ -516,6 +526,17 @@ def options(self, *args, **kwargs):
                         'accept, content-type, authorization, x-xsrftoken')
         self.set_header('Access-Control-Allow-Methods',
                         'GET, PUT, POST, PATCH, DELETE, OPTIONS')
+        # if authorization header is requested,
+        # that means the request is token-authenticated.
+        # avoid browser-side rejection of the preflight request.
+        # only allow this exception if allow_origin has not been specified.
+        if not (
+            self.allow_origin
+            or self.allow_origin_pat
+            or 'Access-Control-Allow-Origin' in self.settings.get('headers', {})
+        ):
+            self.set_header('Access-Control-Allow-Origin',
+                self.request.headers.get('Origin', ''))
 
 
 class Template404(IPythonHandler):