Set CSP frame-ancestors 'self' for nbgrader handlers

[jeflem]

This PR solves issue #1870 (formgrader does not show in JupyerLab tab due to JupyterHub >=4.1.0 security settings in HTTP headers).

Starting with JupyterHub 4.1.0 HTTP header

Content-Security-Policy:  frame-ancestors 'none'

is the default setting instead of

Content-Security-Policy: frame-ancestors 'self'

See Mitigating same-origin deployments for some background on this decision and CSP: frame-ancestors for details on the header.

The none header prevents loading of formgrader in a tab of JupyterLab.

The JupyterHub none setting overwrites the self setting of Jupyter Server running without JupyterHub. See

• jupyter_server/base/handlers.py#L101 for default setting self in Jupyter Server,
• jupyterhub/singleuser/extension.py#L658 for default setting none in JupyterHub's Jupyter Server extension,
• jupyterhub/singleuser/mixins.py#L688 for default setting none in JupyterHub's code for classic notebook.

To allow embedding of nbgrader's formgrader (and possibly other nbgrader components) without affecting security of other JupyterHub components this PR sets frame-ancestors to self for responses of nbgrader handlers only.

The class BaseHandler modified by this PR is a subclass of tornado.web.RequestHandler, which provides the set_header method.

[github-actions]

👈 Launch a Binder on branch jeflem/nbgrader/formgrader_jhub41