[BUG] - Panel Preview is blocked

[kcpevey]

Describe the bug

Breaking this out from this issue comment.

Panel Preview has worked for me in the past, but with our current (nebari 2024.7.1) version of JHub/JLab, this extension no longer works.

For reference, I originally asked about this on the holoviz discourse.

Expected behavior

You can preview a panel object in the notebook:

However, Panel Preview allows you to view what it would look like deployed. This is particularly helpful when developing apps which include templates since they won't render in the notebook context AND for deployed apps, any errors which may arise during the deployment process can be surfaced here, in the notebook, where it can be immediately modified.

This is particularly important in the context of Nebari since getting to the logs for app deployment is tedious and not well documented. Being able to work through deployment bugs before moving to the App Launcher interface would greatly improve usability.

OS and architecture in which you are running Nebari

Linux AWS

How to Reproduce the problem?

Environment:

channels:
  - conda-forge
dependencies:
  - python=3.10
  - panel
  - param
  - ipykernel

In a notebook:

import panel as pn

pn.extension()

pn.Row(pn.pane.Markdown("Some text")).servable()

Command output

The preview pane itself is showing nebari.quansight.dev refused to connect. and the js console is showing the error: Refused to frame 'https://nebari.quansight.dev/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

Versions and dependencies used.

No response

Compute environment

None

Integrations

No response

Anything else?

From @krassowski in the original discussion:

JupyterHub 4.1 introduced pretty restrictive CSP. In principle we can change CSP with c.JupyterHub.tornado_settings traitlet.

For reference:

• https://jupyter-server.readthedocs.io/en/latest/operators/public-server.html#content-security-policy-csp
• https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#mitigating-same-origin-deployments

Here is a related upstream issue:

• frame-ancestors set to 'none' prevent voila and maybe other extensions to show their content in JupyterHub since 4.1.0 jupyterhub/jupyterhub#4823

Quoting:

This is required for inter-user security on single-domain deployments, but can be safely disabled with per-user subdomains.

Nebari should implement per-user domains and then all these restrictions can be safely lifted.

[dharhas]

@krassowski is there any way for the panel preview to work without relaxing the CSP or enabling per-user domains. i.e. is there anything we can do with upstream changes to the preview button implementation

[krassowski]

Yes. I opened an upstream issue in holoviz/panel#7039 and will open two PRs to implement changes required.