Set CSP frame-ancestors 'self' for nbgrader handlers

[jeflem]

This PR solves issue #1870 (formgrader does not show in JupyerLab tab due to JupyterHub >=4.1.0 security settings in HTTP headers).

Starting with JupyterHub 4.1.0 HTTP header

Content-Security-Policy:  frame-ancestors 'none'

is the default setting instead of

Content-Security-Policy: frame-ancestors 'self'

See Mitigating same-origin deployments for some background on this decision and CSP: frame-ancestors for details on the header.

The none header prevents loading of formgrader in a tab of JupyterLab.

The JupyterHub none setting overwrites the self setting of Jupyter Server running without JupyterHub. See

• jupyter_server/base/handlers.py#L101 for default setting self in Jupyter Server,
• jupyterhub/singleuser/extension.py#L658 for default setting none in JupyterHub's Jupyter Server extension,
• jupyterhub/singleuser/mixins.py#L688 for default setting none in JupyterHub's code for classic notebook.

To allow embedding of nbgrader's formgrader (and possibly other nbgrader components) without affecting security of other JupyterHub components this PR sets frame-ancestors to self for responses of nbgrader handlers only.

The class BaseHandler modified by this PR is a subclass of tornado.web.RequestHandler, which provides the set_header method.

[github-actions[bot]]

:point_left: Launch a Binder on branch _jeflem/nbgrader/formgraderjhub41

[brichet]

Bump CI

[brichet]

@jeflem I took the liberty to merge main is this PR to try to fix the check_release test, as mentioned at https://github.com/jupyter-server/jupyter_releaser/issues/593#issuecomment-2478628377

[LukasMueller187]

Hi, just wanted to check in here because we do have problems with clients using iPads (browser doesn't matter). Feedback html files are rejected because of the frame-ancestors directive. I thought 0.9.4 would fix it but it doesn't. Manually setting the header to 'self' again in (our case) apache does solve the issue, but as stated in the first post this is discouraged.

Any ideas? edit: example error: Refused to load blob:https://<removed>/7a8d70b7-1c35-4f18-b24f-9c5280a28717 because it does not appear in the frame-ancestors directive of the Content Security Policy.