Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add x-xsrftoken to Access-Control-Allow-Headers #2876

Merged
merged 1 commit into from
Sep 30, 2017

Commits on Sep 28, 2017

  1. Add x-xsrftoken to Access-Control-Allow-Headers

    When starting a kernel using the Jupyter Notebook Kernel API, web
    browsers will automatically check for the presence of `x-xsrftoken` in
    the Access-Control-Allow-Headers during the preflight CORS check
    ([ref][ref]).
    
    [ref]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
    
    Since we didn't allow this header before, web browsers would fail the
    preflight check even when the x-xsrftoken header isn't being used by the
    notebook server.
    
    This meant that running a webpage on localhost:8080 that used Javascript
    to start a kernel on a notebook server running on localhost:8888 would
    fail.
    
    How I tested this commit:
    
    1. Start a notebook server using
    
    		jupyter notebook --no-browser --NotebookApp.allow_origin="*" --NotebookApp.disable_check_xsrf=True --NotebookApp.token=''
    
    2. Build the [web3](https://github.com/jupyter-widgets/ipywidgets/tree/master/examples/web3) example from ipywidgets.
    3. In that directory, run `npm run host`.
    4. Verify that visiting http://localhost:8080/ starts a kernel in the notebook server.
    SamLau95 committed Sep 28, 2017
    Configuration menu
    Copy the full SHA
    1c2a256 View commit details
    Browse the repository at this point in the history