Set CSP frame-ancestors 'self' for nbgrader handlers #1915
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR solves issue #1870 (formgrader does not show in JupyerLab tab due to JupyterHub >=4.1.0 security settings in HTTP headers).
Starting with JupyterHub 4.1.0 HTTP header
is the default setting instead of
See Mitigating same-origin deployments for some background on this decision and CSP: frame-ancestors for details on the header.
The
none
header prevents loading of formgrader in a tab of JupyterLab.The JupyterHub
none
setting overwrites theself
setting of Jupyter Server running without JupyterHub. Seeself
in Jupyter Server,none
in JupyterHub's Jupyter Server extension,none
in JupyterHub's code for classic notebook.To allow embedding of nbgrader's formgrader (and possibly other nbgrader components) without affecting security of other JupyterHub components this PR sets
frame-ancestors
toself
for responses of nbgrader handlers only.The class
BaseHandler
modified by this PR is a subclass oftornado.web.RequestHandler
, which provides theset_header
method.