-
Notifications
You must be signed in to change notification settings - Fork 417
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error on Kino script loading if a livebook instance is behind cookie based authentication proxy #954
Comments
We had a similar bug on v0.5.0 but it should be fixed on v0.5.1. I couldn't find your tag on Docker, so can you please make sure you are on latest? Unless you pulled yesterday, which means you are on latest. :) |
I don't know why the tag is not there... $ docker run --pull always livebook/livebook@sha256:4623d37ca4d4ac7d06a48a12d0745e02c301abb42baac2674d0a1771f0dc5be7 /app/bin/livebook version
docker.io/livebook/livebook@sha256:4623d37ca4d4ac7d06a48a12d0745e02c301abb42baac2674d0a1771f0dc5be7: Pulling from livebook/livebook
Digest: sha256:4623d37ca4d4ac7d06a48a12d0745e02c301abb42baac2674d0a1771f0dc5be7
Status: Image is up to date for livebook/livebook@sha256:4623d37ca4d4ac7d06a48a12d0745e02c301abb42baac2674d0a1771f0dc5be7
livebook 0.5.2 Is there any possibility that the HTTP request to load script does not include credentials because it is sent from the sandbox |
Thanks, I can reproduce it now. I was incorrectly assuming it was generally related to authentication but it actually happens only on token authentication, not password one. Commenting |
I am not sure we are looking at the same problem because I cannot reproduce it by changing |
@en30 thanks for the detailed reproduction. So the relevant |
@jonatanklosko can the iframe sets its own cookie? If it can, then we can pass all cookies to the iframe, except the ones that are important for us. |
We cannot access HttpOnly cookies from JavaScript and I imagine a proxy like that would set that (either way we shouldn't assume). |
@jonatanklosko we have all cookies in the server, which we can pass down. We can also make it an explicit configuration if we don't want to assume. |
It's the proxy that sets the cookie though, so we don't have direct access to it on the server, maybe on a subsequent request. And even then, if the cookie is HttpOnly, passing it down doesn't help because the iframe won't be able to set it. |
@josevalim on a related note, I'm looking into camera access and there are also issues, because our setup is too strict. I have an idea how we can solve both, though it's definitely not pretty. |
@jonatanklosko the httponly is a server setting, the browser will definitely send it later if it is set via JavaScript and iirc the server has no way of knowing. But I am glad to hear alternatives. |
@jonatanklosko Thank you for clarifying the situation. Since |
@en30 actually this should be fairly straightforward, we can load the module outside iframe and inside iframe we would still use That said, I think the issue is more broad and solving the camera access issue will automatically solve this as well. Otherwise, this sounds like the best alternative! |
@jonatanklosko I hope your solution (Feature Policy or something?) is successful🤞 |
@jonatanklosko I tried it both on GCP and using en30/livebook-issue-954, but it still doesn't seem to be working. To make sure I use the latest image, I specified |
@en30 thanks for checking. So the cookies are indeed not sent when importing the module, that's because this is a non-simple cross-origin request (from livebook.space iframe to the livebook endpoint). So far I looked into two ways of addressing it, but neither seems good enough:
One thing we could do is to require the proxy to pass requests to public resources without authentication. We could namespace those routes under |
I think the solution is reasonable. At least there are ways to work around this issue. |
I haven't done a proper feasibility check yet, but is it possible to do something like this?
|
Using service workers is likely asking for trouble. We would need to proxy the request as |
@jonatanklosko Thank you for addressing the issue. And thank you for all of your hard work and the great product. |
Environment
git rev-parse HEAD
if running with mix):livebook/livebook@sha256:4623d37ca4d4ac7d06a48a12d0745e02c301abb42baac2674d0a1771f0dc5be7
Current behavior
Step to reproduce
docker run -p 8080:8080 --pull always livebook/livebook:edge
Kino.DataTable
sectionWithout GCP: https://github.com/en30/livebook-issue-954
Result
DataTable
widget does not show up.Error message in the browser console:
Access to script at '*/main.js' from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
The HTTP request does not include
Cookie
header and the response redirects to an authentication page that is of a different origin in this case.Expected behavior
DataTable
widget shows up if possible.The text was updated successfully, but these errors were encountered: