SameSite cookie options

Chrome 80 implements a stricter check on third-party cookies; basically the browser will no longer send a third-party cookie unless that cookie was originally set with certain options (more background). On slightly older versions of Chrome you can opt into the new behavior via settings at chrome://flags/#same-site-by-default-cookies. The new behavior will break nbgallery-Jupyter integration because sending notebooks back and forth via Ajax requires third-party cookies be set in both directions.

Saving notebooks from Jupyter to nbgallery requires that nbgallery's login cookie be set for the Ajax request initiated from the Jupyter side. This was addressed in https://github.com/nbgallery/nbgallery/pull/277.

Launching a notebook from nbgallery into Jupyter requires that Jupyter's login cookie be set for the Ajax request initiated from the nbgallery side. This can be addressed by setting Jupyter's cookie options (see discussion).

Because setting SameSite=None on a cookie also requires it to be Secure, this means that running both Jupyter and nbgallery on plain http will no longer work in browsers that implement the strict behavior. Also note that the Secure flag means if you try to set the cookie while running in plain http, the browser will completely reject it and it will be as if you didn't log in at all. Thus we should only set Jupyter's cookie options when we know we're running in https. That seems to be a little tricky; ideally we would check if NotebookApp.certfile was set, but I don't see a one-size-fits-all spot to do that. So what I'll do is support it for the GEN_CERT=yes environment variable (which makes the image generate a self-signed key at startup then run in https) but if users of our image are setting the certfile some other way, they will likely need to set the cookie options as well.

nbgallery / docker-images

SameSite cookie options #16