we already apply this logic in our server-side checks,
but browsers check `Access-Control-Allow-Origin` headers themselves as well,
meaning that token-authenticated requests can’t be made cross-origin without CORS headers from browsers,
only scripts.
This makes default browser and server-side origin checks consistent
get_current_user is called in a few places that really shouldn’t raise
move the raising to `get_login_url`, which is called in `@web.authenticated`,
where we want to replace redirect logic with 403.
* provide some top level comments
* implement buffering of messages on last dropped connection
- buffer is per-kernel
- session_key is stored because only a single session can resume the buffer and we can't be sure
- on any new connection to a kernel, buffer is flushed.
If session_key matches, it is replayed.
Otherwise, it is discarded.
- buffer is an unbounded list for now
* restore actual zmq channels when resuming connection
rather than establishing new connections
fixes failure to resume shell channel
* hookup restart callbacks in open
instead of in `create_stream`, which is not called on reconnect
* improve handling of restored connections in js
- dismiss 'connection lost' dialog on reconnect
- set busy status on reconnect (if not busy, idle will come soon after via kernel_ready)
* ...
* ...
* ...
* add translated files in Chinese.
* Remove compiled message files
* Consolidate translations into one set of files
* Rename .pot files to .po
* Add zh-CN to list of supported languages
* Ignore compiled .mo files
* Revert a couple of unimportant changes
When starting a kernel using the Jupyter Notebook Kernel API, web
browsers will automatically check for the presence of `x-xsrftoken` in
the Access-Control-Allow-Headers during the preflight CORS check
([ref][ref]).
[ref]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
Since we didn't allow this header before, web browsers would fail the
preflight check even when the x-xsrftoken header isn't being used by the
notebook server.
This meant that running a webpage on localhost:8080 that used Javascript
to start a kernel on a notebook server running on localhost:8888 would
fail.
How I tested this commit:
1. Start a notebook server using
jupyter notebook --no-browser --NotebookApp.allow_origin="*" --NotebookApp.disable_check_xsrf=True --NotebookApp.token=''
2. Build the [web3](https://github.com/jupyter-widgets/ipywidgets/tree/master/examples/web3) example from ipywidgets.
3. In that directory, run `npm run host`.
4. Verify that visiting http://localhost:8080/ starts a kernel in the notebook server.
