Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CORS is not checked when browsing files. check origin now https://github.com/jupyter-server/jupyter_server/issues/1459 #1465

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

gogasca
Copy link
Contributor

@gogasca gogasca commented Oct 25, 2024

Add check_origin check during check_xsrf_cookie for files.
Details:
#1459

@vidartf
Copy link
Member

vidartf commented Nov 7, 2024

@gogasca Thanks for the issue and the PR. I've been reading it, and agree that the allow_origin_pat should be checked in this case as well. That said, in the exception handler there is already some code to call check_referer for GET and HEAD, and the docstring of that method already specifically mentions the /files endpoint, so I think it should probably be the method used here (at least for GET/HEAD). Also, I want to be careful to see if there are any configuration scenarios where the extra check would fail some existing behavior that we still want to allow, so I've been discussing this in the dev call (cc @Zsailer ), so the review might take a bit longer.

Happy for any input you have on the above, and thanks again!

@gogasca
Copy link
Contributor Author

gogasca commented Nov 21, 2024

Thanks @vidartf I will test using check_referer method and get back to you. I have been unable to join the call in the past few weeks due to some personal commitments, but will report back with more details. Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants