propagate check_origin of JupyterHandler to enable CORS websocket access #295
Conversation
|
Thanks for submitting your first pull request! You are awesome! 🤗 |
|
This issue could be related/fixed by this PR #248. |
fhoehle
force-pushed
the
propagate_check_origin
branch
from
6c3b0a6 to
b4d11f0
Compare
|
@consideRatio could you maybe take a look at this, please? this would be very useful for us, too. 🙂 |
|
@fhoehle I think for this PR to be accepted, i think it will need to not make the project require jupyter_server. These questions will likely be relevant to address, and anyones thoughts about those would be useful review input.
@manics @minrk @yuvipanda - this is at least a small PR in lines of code changed, but I'm not knowledgeable enough about this project or about CORS to review this. Could you give it a glance? |
|
@consideRatio I think jupyter_server is already required. I think this is fine, but I also think it can be simpler by putting it on the base ProxyHandler, as is done in jupyter_server when a class needs to inherit from WebSocketHandler before JupyterHandler: def check_origin(self, origin=None):
return JupyterHandler.check_origin(self, origin) |
fhoehle
force-pushed
the
propagate_check_origin
branch
from
b4d11f0 to
4c9f351
Compare
|
@consideRatio and @minrk thanks for your review and input.
I adapted the PR according to @minrk proposal. In the beginning I was unsure if would be more suitable to add the reassignement of |
|
Thanks @minrk for helping out! Does this LGTY now? |
|
Congrats on your first merged pull request in this project! 🎉 |
|
Yes, thank you! |
|
I labelled this as a bugfix, is that reasonable with regards to how it will be listed in the changelog. Is it an enhancement, or breaking change? |
I would consider this an enhancement. Because this functionality could achieved by overwriting the origin header by the inverting proxy. |
|
@fhoehle what about breaking / non-breaking change? |
@consideRatio I would see it as non breaking, because existing configuration does not become invalid. But if someone is using this on an exposed system without any proxy service web-sockets will become accessible. It would be very helpful for me to use a release including this functionality. Would that be possible @consideRatio @minrk ? Do you need more input besides the points already mentioned? |
|
Bugfix is a fine label for changelog purposes, since it fixes the code's behavior to do what it is intended to do. While it's technically conceivable to rely on the incorrect behavior, I wouldn't consider fixing that a breaking change. It's very common for changes to not cleanly divide into bug/enhancement/feature/etc. and I would like to avoid spending too much time on the labeling, as long as it gets a label.
No, I think this is all done. Just need to get the release ready. |
|
@minrk thanks! |
Thanks for this extremly helpful package. Exposing applications like
code-serverusingjupyter-vscode-proxyvia an inverting proxy e.g.gcr.io/inverting-proxyfails due to not allowed cross origin websockets. This seccurity rule was introduced intornado>=4seecheck_originand its doc string.jupyter-serverprovides a configurablecheck_originfunction consumingallow_originandallow_origin_patbeing very fine tunable cross origin permissions. This PR exposes thejupyter-server-proxyto this functionality and being similar configured as thejupyter-serverregarding cross origin acceptance.Please comment/review I'm open to suggestions and feedback.