Describe problems and solutions involving CSP headers #3883
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks! |
This was referenced Sep 24, 2019
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR just adds a section to the documentation describing problems and solutions to serving jupyter from a public server that uses the Content-Security-Policy (CSP) header.
I ran into these problems using the latest docker container
jupyter/scipy-notebookto serve from a subdirectory on an existing webserver. I used a setup essentially like the one described in the docs. I was able to access Jupyter through both the notebook interface and the jupyterlab interface, and the pages basically seemed to be working, in the sense that I could see menus and file listings, and so on.However, actual connections to the kernel weren't working. For example, when I opened a new notebook, the kernel wouldn't start and I'd get the usual "Connection failed" message saying "A connection to the notebook server could not be established." Or in jupyterlab, everything would look fine, but when I'd try to execute a cell it would just hang. When I tried to open a terminal, nothing at all would happen; I wouldn't get a prompt or any message whatsoever. Looking at the javascript console, I saw lots of failed connections to WebSockets (which evidently go via the
wss:scheme, orws:if you're not encrypting), with messages saying that our Contect-Security-Policy (CSP) was blocking those requests.Now, because we have lots of different web apps running, we try to follow basic security guidelines — specifically Mozilla's guidelines, which includes a recommendation to use a restrictive CSP. I believe the problem is that our CSP includes
default-src https: 'unsafe-inline', and that means thatwss:can't be used. My solution was to addto the CSP, at least for the subdirectory where I'm serving jupyter. Now, everything's working great. (I also noticed that
'unsafe-inline'is definitely necessary, so I mention that in the docs.)I had a harder time than I should have figuring that out (because I was looking for 404s, and forgot to check the console for a while), so I'm hoping this at least shows up in search engines for people like me who just searched for the problem first.