allow token-authenticated requests cross-origin by default

we already apply this logic in our server-side checks, but browsers check `Access-Control-Allow-Origin` headers themselves as well, meaning that token-authenticated requests can’t be made cross-origin without CORS headers from browsers, only scripts. This makes default browser and server-side origin checks consistent
2025-01-12 11:45:38 +08:00 · 2017-10-10 17:01:48 +02:00 · 2017-10-10 17:01:48 +02:00 · 9acf6a80f4
commit 9acf6a80f4
parent a8c6b8bab6
1 changed files with 26 additions and 0 deletions
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@ -281,6 +281,16 @@ class IPythonHandler(AuthenticatedHandler):
            origin = self.get_origin()
            if origin and self.allow_origin_pat.match(origin):
                self.set_header("Access-Control-Allow-Origin", origin)
+        elif (
+            self.token_authenticated
+            and "Access-Control-Allow-Origin" not in
+                self.settings.get('headers', {})
+        ):
+            # allow token-authenticated requests cross-origin by default.
+            # only apply this exception if allow-origin has not been specified.
+            self.set_header('Access-Control-Allow-Origin',
+                self.request.headers.get('Origin', ''))
+
        if self.allow_credentials:
            self.set_header("Access-Control-Allow-Credentials", 'true')
    
@ -517,6 +527,22 @@ class APIHandler(IPythonHandler):
        self.set_header('Access-Control-Allow-Methods',
                        'GET, PUT, POST, PATCH, DELETE, OPTIONS')

+        # if authorization header is requested,
+        # that means the request is token-authenticated.
+        # avoid browser-side rejection of the preflight request.
+        # only allow this exception if allow_origin has not been specified.
+        requested_headers = self.request.headers.get('Access-Control-Request-Headers', '').split(',')
+        if requested_headers and any(
+            h.strip().lower() == 'authorization'
+            for h in requested_headers
+        ) and (
+            self.allow_origin
+            or self.allow_origin_pat
+            or 'Access-Control-Allow-Origin' in self.settings.get('headers', {})
+        ):
+            self.set_header('Access-Control-Allow-Origin',
+                self.request.headers.get('Origin', ''))
+

 class Template404(IPythonHandler):
    """Render our 404 template"""