aiv-code
commented
5 years ago Does anybody have any idea?
Open aiv-code opened 5 years ago
aiv-code
commented
5 years ago Does anybody have any idea?
yuvipanda
commented
5 years ago @jtpio thank you for opening this issue.
Can you try putting the Notebook config in /usr/local/etc/jupyter/jupyter_notebook_config.py? Something like:
c.NotebookApp.tornado_settings = {
'headers': {
'Content-Security-Policy': 'frame-ancestors self *',
}
}That'll probably work out better than trying to set it via cmd.
pqshi1219
commented
5 years ago I have the same problem. Is there a solution?
aryeh-looker
commented
5 years ago I've looked at this somewhat extensively. I am using the littlest jupyterhub. There is a related issue here https://github.com/jupyterhub/jupyterhub/issues/379. My configuration looks like this:
c.JupyterHub.tornado_settings = {
'headers': {
'Content-Security-Policy': "frame-ancestors localhost:9999",
}
}
c.NotebookApp.tornado_settings = {
'headers': {
'Content-Security-Policy': 'frame-ancestors localhost:9999'
}
}and is located at /opt/tljh/config/jupyterhub_config.d/config.py as specified in the docs (https://tljh.jupyter.org/en/latest/topic/escape-hatch.html). The problem appears to be that the c.JupyterHub.tornado_settings has an effect, but c.NotebookApp.tornado_settings does not. In other words, specifying the security policy for c.JupyterHub.tornado_settings appears to correctly alter the security policy for hub pages like / and /hub:
c.NotebookApp.tornado_settings should affect the policy, I believe, on pages like /tree, which I believe host the notebook app, but the security policy for requests to that path are not affected by configuration:
andreaprakash
commented
4 years ago @aryeh-looker I'm facing the same issue as well. I'm able to embed hub pages like / and hub/ but opening a notebook, i.e. pages like /tree are blocked by the security policy. Were you able to find any solution to this?
AmalVijayan
commented
4 years ago Here is a work around,
Follow the procedure below:
You can either create the file manually using a text editor like vim or generate a default coinfig file using jupyter notebook with the following command
jupyter notebook --generate-configNote that the above command requires jupyter notebook to be installed (
pip3 install jupyterhub notebook)After the installation if you face an error related to ruamel.yaml version on loading the tljh-config, execute the following command:
pip3 install ruamel.yaml==0.15.*
c.NotebookApp.tornado_settings={'headers': {'Content-Security-Policy': "frame-ancestors * 'self' "}}change the permission of the file using the following code:chmod -R 755 /home/shared_config/jupyter_notebook_config.py
Note: you can generate jupyterhub configuration file using the following command:
jupyterhub --generate-config
c.Spawner.args = [ '--config=/home/shared_config/jupyter_notebook_config.py']
sudo tljf-config reload
Here is what my config looks like
-- /opt/tljh/config/jupyterhub_config.d/jupyterhub_config.py
c.JupyterHub.tornado_settings = {'headers': {'Content-Security-Policy': "frame-ancestors * 'self' "}}c.Spawner.args = [ '--config=/home/ubuntu/jupyter_notebook_config.py']
-- /home/shared_config/jupyter_notebook_config.py
c.NotebookApp.tornado_settings={'headers': {'Content-Security-Policy': "frame-ancestors * 'self' "}}
Some useful references and related issues:
Amran2k16
commented
4 years ago I spent 3 days trying to figure this out because it wasn't working for me. The suggestions regarding the addition of a jupyterhub_config.py worked for me to implement the login page. For actually using the notebook once logged in it didnt work. I had to go into the python file that sets the default Content-Security-Policy.
steps I took where as follows. I used grep in the root of my ec2 instance to discover which files contained "frame-ancestors 'self' ". This led me to the file which can be found in the following path opt/tljh/hub/lib/python3.6/site-packages/jupyterhub/handlers/base.py
I simply used vim to edit line 193 to include as well. ["frame-ancestors 'self'", "report-uri " + self.csp_report_uri] to ["frame-ancestors 'self' ", "report-uri " + self.csp_report_uri]
edit:
After doing this i realised it didn't work for new users i created. So to remedy this i went through all the files that contained content-security-policy using grep from my root directory grep -insrIw "frame-ancestors 'self'\"" This returned a list of files. i simply added to the end of these.
NOTE : This is definitely not safe. It was just something i needed to do for testing and development purposes.
iampatterson
commented
4 years ago I spent 3 days trying to figure this out because it wasn't working for me. The suggestions regarding the addition of a jupyterhub_config.py worked for me to implement the login page. For actually using the notebook once logged in it didnt work. I had to go into the python file that sets the default Content-Security-Policy.
steps I took where as follows. I used grep in the root of my ec2 instance to discover which files contained "frame-ancestors 'self' ". This led me to the file which can be found in the following path opt/tljh/hub/lib/python3.6/site-packages/jupyterhub/handlers/base.py
I simply used vim to edit line 193 to include as well. ["frame-ancestors 'self'", "report-uri " + self.csp_report_uri] to ["frame-ancestors 'self' ", "report-uri " + self.csp_report_uri]
edit:
After doing this i realised it didn't work for new users i created. So to remedy this i went through all the files that contained content-security-policy using grep from my root directory grep -insrIw "frame-ancestors 'self'"" This returned a list of files. i simply added to the end of these.
NOTE : This is definitely not safe. It was just something i needed to do for testing and development purposes.
How would you suggest that you "do this safely" I am looking to embed my Jupyterhub in an iframe on a new website and need to figure out the best way to do this.
sclaybon
commented
3 years ago How would you suggest that you "do this safely" I am looking to embed my Jupyterhub in an iframe on a new website and need to figure out the best way to do this.
Did you happen to glean any information on any sort of 'safer' workaround than an iframe?
Amran2k16
commented
3 years ago Unfortunately not. Securitywise my project was too difficult so I called it quits after a while.
On Wed, 21 Apr 2021, 15:45 swazonic, @.***> wrote:
How would you suggest that you "do this safely" I am looking to embed my Jupyterhub in an iframe on a new website and need to figure out the best way to do this.
Did you happen to glean any information on any sort of 'safer' workaround than an iframe?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/jupyterhub/the-littlest-jupyterhub/issues/312#issuecomment-824119022, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEM3U3ENQUM335YTLBYP6YLTJ3QHVANCNFSM4HKUHX2Q .
guillaume-ion
commented
3 years ago Hi I'm confronted with the same issue, I've been pulling my hair for 3 days now on how to do this. I've tried the solution provided by @AmalVijayan but with no luck.
I have the simplest install on an AWS EC2 instance
but i'm faced with the following error message in the browser console :
Refused to frame 'http://xxxxxxxxxxx.yyyyyyy.compute.amazonaws.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors *".
kaivalyapendse
commented
2 years ago @AmalVijayan Hi Amal, I am facing the same issue. I have replicated your steps but still getting the error as :
Blocked autofocusing on a <input> element in a cross-origin subframe. For the pages ahead of the login page. Login page is rendering fine but not able to login.
Could anyone throw some light on this?
When I try to embedd tljh in iframe with below settings in jupyter_config.py file
I am getting following error when I try to start user server. Any idea what is wrong?