Embedding in iframe

[aiv-code]

When I try to embedd tljh in iframe with below settings in jupyter_config.py file

c.JupyterHub.tornado_settings = {
    'headers': {
         'Content-Security-Policy': 'frame-ancestors self *',
    }
}
c.Spawner.args = ["'--NotebookApp.tornado_settings={'headers': {'Content-Security-Policy': 'frame-ancestors self * ', }}'"]

I am getting following error when I try to start user server. Any idea what is wrong?

> May 03 14:03:25 instance-5 python3[31964]:     KeyError: "'headers'"
May 03 14:03:25 instance-5 python3[31964]:         USERID=self.user.id
May 03 14:03:25 instance-5 python3[31964]:       File "/opt/tljh/hub/lib/python3.6/site-packages/systemdspawner/systemdspawner.py", line 157, in _expand_user_vars
May 03 14:03:25 instance-5 python3[31964]:         args=[self._expand_user_vars(a) for a in self.get_args()],
May 03 14:03:25 instance-5 python3[31964]:       File "/opt/tljh/hub/lib/python3.6/site-packages/systemdspawner/systemdspawner.py", line 280, in <listcomp>
May 03 14:03:25 instance-5 python3[31964]:         args=[self._expand_user_vars(a) for a in self.get_args()],
May 03 14:03:25 instance-5 python3[31964]:       File "/opt/tljh/hub/lib/python3.6/site-packages/systemdspawner/systemdspawner.py", line 280, in start
May 03 14:03:25 instance-5 python3[31964]:         url = await gen.with_timeout(timedelta(seconds=spawner.start_timeout), f)
May 03 14:03:25 instance-5 python3[31964]:       File "/opt/tljh/hub/lib/python3.6/site-packages/jupyterhub/user.py", line 409, in spawn
May 03 14:03:25 instance-5 python3[31964]:         raise e
May 03 14:03:25 instance-5 python3[31964]:       File "/opt/tljh/hub/lib/python3.6/site-packages/jupyterhub/user.py", line 489, in spawn

[aiv-code]

Does anybody have any idea?

[yuvipanda]

@jtpio thank you for opening this issue.

Can you try putting the Notebook config in /usr/local/etc/jupyter/jupyter_notebook_config.py? Something like:

c.NotebookApp.tornado_settings = {
  'headers': {
     'Content-Security-Policy': 'frame-ancestors self *',
   }
}

That'll probably work out better than trying to set it via cmd.

[pqshi1219]

I have the same problem. Is there a solution?

[aryeh-looker]

I've looked at this somewhat extensively. I am using the littlest jupyterhub. There is a related issue here jupyterhub/jupyterhub#379. My configuration looks like this:

c.JupyterHub.tornado_settings = {
    'headers': {
        'Content-Security-Policy': "frame-ancestors localhost:9999",
    }
}
c.NotebookApp.tornado_settings = {
  'headers': {
      'Content-Security-Policy': 'frame-ancestors localhost:9999'
   }
}

and is located at /opt/tljh/config/jupyterhub_config.d/config.py as specified in the docs (https://tljh.jupyter.org/en/latest/topic/escape-hatch.html). The problem appears to be that the c.JupyterHub.tornado_settings has an effect, but c.NotebookApp.tornado_settings does not. In other words, specifying the security policy for c.JupyterHub.tornado_settings appears to correctly alter the security policy for hub pages like / and /hub:

c.NotebookApp.tornado_settings should affect the policy, I believe, on pages like /tree, which I believe host the notebook app, but the security policy for requests to that path are not affected by configuration:

[andreaprakash]

@aryeh-looker I'm facing the same issue as well. I'm able to embed hub pages like / and hub/ but opening a notebook, i.e. pages like /tree are blocked by the security policy. Were you able to find any solution to this?

[AmalVijayan]

Here is a work around,

1. Have a common notebook configuration file for all the users who log into Jupyterhub.
2. Pass the configuration file as spawner args.

Follow the procedure below:

1. Create a file named jupyter_notebook_config.py in a specific location say /home/shared_config/

You can either create the file manually using a text editor like vim or generate a default coinfig file using jupyter notebook with the following command

jupyter notebook --generate-config

Note that the above command requires jupyter notebook to be installed (pip3 install jupyterhub notebook)

After the installation if you face an error related to ruamel.yaml version on loading the tljh-config, execute the following command:
pip3 install ruamel.yaml==0.15.*

2. Open the jupyter_notebook_config.py file that you created above and add the following code:

c.NotebookApp.tornado_settings={'headers': {'Content-Security-Policy': "frame-ancestors * 'self' "}}
change the permission of the file using the following code:
chmod -R 755 /home/shared_config/jupyter_notebook_config.py

3. Open you jupyterhub configuration file (by default located in /opt/tljh/config/jupyterhub_config.d/jupyterhub_config.py) and add the following code:

Note: you can generate jupyterhub configuration file using the following command:
jupyterhub --generate-config

c.Spawner.args = [ '--config=/home/shared_config/jupyter_notebook_config.py']

4. Reload the tljf-config using the following command:

sudo tljf-config reload

5. Happy coding !!

Here is what my config looks like

-- /opt/tljh/config/jupyterhub_config.d/jupyterhub_config.py

c.JupyterHub.tornado_settings = {'headers': {'Content-Security-Policy': "frame-ancestors * 'self' "}}
c.Spawner.args = [ '--config=/home/ubuntu/jupyter_notebook_config.py']

-- /home/shared_config/jupyter_notebook_config.py

c.NotebookApp.tornado_settings={'headers': {'Content-Security-Policy': "frame-ancestors * 'self' "}}

Some useful references and related issues:

• https://jupyterhub.readthedocs.io/en/stable/getting-started/config-basics.html
• https://minrk-notebook.readthedocs.io/en/latest/config.html
• https://jupyterhub.readthedocs.io/en/stable/getting-started/spawners-basics.html
• Can't start single-user server jupyterhub#335
• Embedding in iframe #312
• Unable to pass tornado_settings command line with a space. jupyter/notebook#3904
• Embedding jupyterhub in iframe jupyterhub#379

[Amran2k16]

I spent 3 days trying to figure this out because it wasn't working for me. The suggestions regarding the addition of a jupyterhub_config.py worked for me to implement the login page. For actually using the notebook once logged in it didnt work. I had to go into the python file that sets the default Content-Security-Policy.

steps I took where as follows. I used grep in the root of my ec2 instance to discover which files contained "frame-ancestors 'self' ". This led me to the file which can be found in the following path opt/tljh/hub/lib/python3.6/site-packages/jupyterhub/handlers/base.py

I simply used vim to edit line 193 to include * as well.
["frame-ancestors 'self'", "report-uri " + self.csp_report_uri]
to
["frame-ancestors 'self' *", "report-uri " + self.csp_report_uri]

edit:

After doing this i realised it didn't work for new users i created. So to remedy this i went through all the files that contained content-security-policy using grep from my root directory
grep -insrIw "frame-ancestors 'self'"" *
This returned a list of files. i simply added * to the end of these.

NOTE : This is definitely not safe. It was just something i needed to do for testing and development purposes.

[iampatterson]

I spent 3 days trying to figure this out because it wasn't working for me. The suggestions regarding the addition of a jupyterhub_config.py worked for me to implement the login page. For actually using the notebook once logged in it didnt work. I had to go into the python file that sets the default Content-Security-Policy.

steps I took where as follows. I used grep in the root of my ec2 instance to discover which files contained "frame-ancestors 'self' ". This led me to the file which can be found in the following path opt/tljh/hub/lib/python3.6/site-packages/jupyterhub/handlers/base.py

I simply used vim to edit line 193 to include * as well.
["frame-ancestors 'self'", "report-uri " + self.csp_report_uri]
to
["frame-ancestors 'self' *", "report-uri " + self.csp_report_uri]

edit:

After doing this i realised it didn't work for new users i created. So to remedy this i went through all the files that contained content-security-policy using grep from my root directory
grep -insrIw "frame-ancestors 'self'"" *
This returned a list of files. i simply added * to the end of these.

NOTE : This is definitely not safe. It was just something i needed to do for testing and development purposes.

How would you suggest that you "do this safely" I am looking to embed my Jupyterhub in an iframe on a new website and need to figure out the best way to do this.

[sclaybon]

How would you suggest that you "do this safely" I am looking to embed my Jupyterhub in an iframe on a new website and need to figure out the best way to do this.

Did you happen to glean any information on any sort of 'safer' workaround than an iframe?

[Amran2k16]

Unfortunately not. Securitywise my project was too difficult so I called it quits after a while.

…

On Wed, 21 Apr 2021, 15:45 swazonic, ***@***.***> wrote: How would you suggest that you "do this safely" I am looking to embed my Jupyterhub in an iframe on a new website and need to figure out the best way to do this. Did you happen to glean any information on any sort of 'safer' workaround than an iframe? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#312 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEM3U3ENQUM335YTLBYP6YLTJ3QHVANCNFSM4HKUHX2Q> .

[guillaume-ion]

Hi I'm confronted with the same issue, I've been pulling my hair for 3 days now on how to do this.
I've tried the solution provided by @AmalVijayan but with no luck.

I have the simplest install on an AWS EC2 instance
but i'm faced with the following error message in the browser console :
Refused to frame 'http://xxxxxxxxxxx.yyyyyyy.compute.amazonaws.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors *".

[kaivalyapendse]

@AmalVijayan Hi Amal, I am facing the same issue. I have replicated your steps but still getting the error as :
Blocked autofocusing on a <input> element in a cross-origin subframe. For the pages ahead of the login page. Login page is rendering fine but not able to login.

Could anyone throw some light on this?