Open milandeepbassi opened 3 months ago
Confirmed!
workaround if you are using jupyterhub in Kubernetes: edit the helm chart and add the key extraFiles with the following content: pls replace the domain with your domain
singleuser:
[...]
extraFiles:
server-config:
mountPath: /etc/jupyter/jupyter_server_config.json
data: {
ServerApp: {
tornado_settings: {'headers': {'Content-Security-Policy': "frame-ancestors self https://example.com;"}}
}
}
You can have just "frame-ancestors self"
without having to specify a domain. However, note that this obviously impacts security of the whole JupyterHub.
I would like to use the workaround until the problem is fixed in nbgrader. Jupyterhub is installed directly on my server OS and I modified jupyterhub_config.py
as follows:
c.JupyterHub.ServerApp.tornado_settings = {
"headers":{"Content-Security-Policy": "frame-ancestors 'self' "}
Unfortunately the workaround did not work in my case. I don't see any change in the response header of GET /formgrader
request.
@goekce I think JupyterHub is still using jupyter-notebook rather than jupyter-server. Try using c.JupyterHub.NotebookApp.tornado_settings
rather than c.JupyterHub.ServerApp.tornado_settings
, or setting this in /etc/jupyter/jupyter_notebook_config.py
.
Nice idea @lahwaacz ! I tried both Jupyterhub settings and:
/etc/jupyter/jupyter_notebook_config.d/nbgrader_jhub4.1_workaround.json
{
"NotebookApp": {
"tornado_settings": {
"headers": {"Content-Security-Policy": "frame-ancestors 'self' "}
}
}
}
They did not help however 🙁. I see no effect of these settings in the response headers. I believe something else is overwriting these settings in my case.
@goekce Hmm, maybe also add the same to c.JupyterHub.tornado_settings
in the jupyterhub_config.py
@lahwaacz
Changing the following line manually seems to change the response headers:
So I believe Jupyterhub is using the ServerApp.
However the following lines do not have an effect:
c.ServerApp.tornado_settings = {
"headers":{"Content-Security-Policy": "frame-ancestors 'self' "}
}
c.JupyterHub.ServerApp.tornado_settings = ... # same
I probably should try with a clean installation.
Operating system
Ubuntu 22
nbgrader --version
0.9.1
jupyterhub --version
(if used with JupyterHub)4.1.0
jupyter notebook --version
7.1.2
Expected behavior
Actual behavior
Steps to reproduce the behavior
Created an instance with the The Littlest Jupyterhub that fetches JupyterHub 4.1.0 and installed NBGrader. Tried to access Formgrader and get the following error on browsers.
It is due to this update on Jupyterhub here: https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#mitigating-same-origin-deployments