Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

handle allow_origin='*' in check_referer #5898

Merged
merged 1 commit into from
Dec 19, 2020
Merged

handle allow_origin='*' in check_referer #5898

merged 1 commit into from
Dec 19, 2020

Conversation

minrk
Copy link
Member

@minrk minrk commented Dec 4, 2020
edited
Loading

allow_origin can be the wildcard '*' to allow any host

applies logic already in check_origin to check_referer

This was referenced Dec 4, 2020
Merged
Closed
kevin-bates
kevin-bates approved these changes Dec 9, 2020
View reviewed changes
Copy link
Member

@kevin-bates kevin-bates left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Min!

kevin-bates
kevin-bates reviewed Dec 9, 2020
View reviewed changes
notebook/base/handlers.py Outdated
@@ -380,7 +380,7 @@ def check_origin(self, origin_to_satisfy_tornado=""):

# Check CORS headers
if self.allow_origin:
allow = self.allow_origin == origin
allow = self.allow_origin == "*" or self.allow_origin == origin
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this change more for synergy with the change below? Because it seems like this code above is addressing the wildcard.

@kevin-bates
Copy link
Member

Hmm. In checking to make sure this issue would also be present in jupyter server, I found that check_origin() already addressed the wildcard - thus the comment after approval - sorry about that.

@minrk
handle allow_origin='*' in check_referrer
067c399 
allow_origin can be the wildcard '*' to allow any host

check_referer should match check_origin
@minrk minrk changed the title handle allow_origin='*' in CORS checks handle allow_origin='*' in check_referer Dec 14, 2020
@minrk
Copy link
Member Author

minrk commented Dec 14, 2020

@kevin-bates good catch! I updated to apply the same logic already in check_origin to check_referer

@kevin-bates kevin-bates merged commit 24bf3a5 into jupyter:master Dec 19, 2020
@Zsailer Zsailer mentioned this pull request Mar 11, 2021
Closed
29 tasks
@blink1073 blink1073 added this to the 6.2 milestone Mar 18, 2021
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 15, 2021
@minrk minrk deleted the allow_origin_wildcard branch August 11, 2023 08:56
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kevin-bates kevin-bates kevin-bates approved these changes

Assignees
No one assigned
Labels
status:resolved-locked
Projects
None yet
Milestone
6.2
Development

Successfully merging this pull request may close these issues.
3 participants
@minrk @kevin-bates @blink1073