Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert #1915 for security reason #1947

Merged
merged 7 commits into from
Jan 17, 2025
Merged

Revert #1915 for security reason #1947

merged 7 commits into from
Jan 17, 2025

Conversation

brichet
Copy link
Contributor

@brichet brichet commented Jan 17, 2025
edited
Loading

This PR reverts #1915 for security reason.

Jupyter application running in JupyterHub must not allow iframes, as described at mitigating-same-origin-deployments.

This PR also updates the demo and documentation to make nbgrader work with jupyterhub>=4.1.

EDIT:

@github-actions GitHub Actions
Copy link
Contributor

Binder 👈 Launch a Binder on branch brichet/nbgrader/revert#1915_

@brichet brichet requested a review from minrk January 17, 2025 10:29
@lahwaacz
Copy link
Contributor

So nbgrader should be revamped to avoid using iframes altogether...

@brichet
Copy link
Contributor Author

brichet commented Jan 17, 2025

So nbgrader should be revamped to avoid using iframes altogether...

AFAIK only the formgrader UI is using an iframe, and there are solutions to use it with JupyterHub (see updated doc).

Revamping the formgrader UI would be the best solution indeed, but it would take some time.

minrk
minrk reviewed Jan 17, 2025
View reviewed changes
nbgrader/docs/source/configuration/jupyterhub_config.rst Outdated

Enabling per-user and per-service subdomains with ``JupyterHub.enable_subdomains = True``
allows to securely use iframes with JupyterHub.
Then, even if embedding in an IFrame is allowed, the host page does not have access to the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This second sentence isn't quite accurate - frame-ancestors: self allows same-origin iframes which do still have access to the page contents. That's not strictly the problem. The important change is that when enable_subdomains is True, frame-ancestors self allows embedding the iframe only on pages served by the user's own server but not on other users' servers, which is the problem case for a single-origin JupyterHub deployment.

minrk
minrk approved these changes Jan 17, 2025
View reviewed changes
Copy link
Member

@minrk minrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! One suggestion to improve the accuracy of the docs a bit.

@brichet brichet merged commit 73e1375 into jupyter:main Jan 17, 2025
24 checks passed
@brichet brichet deleted the revert_#1915 branch January 17, 2025 14:01
@brichet
Copy link
Contributor Author

brichet commented Jan 17, 2025

Thanks again @minrk for the advisory, the possible solutions and the review.

@iyanmv iyanmv mentioned this pull request Jan 24, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@minrk minrk minrk approved these changes

Assignees
No one assigned
Labels
bug bugfix important
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@brichet @lahwaacz @minrk