JupyterHub 4.1.0 breaks Formgrader iFrame embed

[milandeepbassi]

Operating system

Ubuntu 22

nbgrader --version

0.9.1

jupyterhub --version (if used with JupyterHub)

4.1.0

jupyter notebook --version

7.1.2

Expected behavior

Actual behavior

Steps to reproduce the behavior

Created an instance with the The Littlest Jupyterhub that fetches JupyterHub 4.1.0 and installed NBGrader. Tried to access Formgrader and get the following error on browsers.

It is due to this update on Jupyterhub here: https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#mitigating-same-origin-deployments

The default Content-Security-Policy for single-user servers is

frame-ancestors: 'none'
which prohibits iframe embedding, but not pop-ups.

[lahwaacz]

Confirmed!

[Zercerium]

workaround if you are using jupyterhub in Kubernetes:
edit the helm chart and add the key extraFiles with the following content: pls replace the domain with your domain

singleuser:
  [...]
  extraFiles:
    server-config:
      mountPath: /etc/jupyter/jupyter_server_config.json
      data: {
        ServerApp: {
          tornado_settings: {'headers': {'Content-Security-Policy': "frame-ancestors self https://example.com;"}}
        }
      }

[lahwaacz]

You can have just "frame-ancestors self" without having to specify a domain. However, note that this obviously impacts security of the whole JupyterHub.

[goekce]

I would like to use the workaround until the problem is fixed in nbgrader. Jupyterhub is installed directly on my server OS and I modified jupyterhub_config.py as follows:

c.JupyterHub.ServerApp.tornado_settings = {                                                                                                                                                                                                  
        "headers":{"Content-Security-Policy": "frame-ancestors 'self' "}

Unfortunately the workaround did not work in my case. I don't see any change in the response header of GET /formgrader request.

[lahwaacz]

@goekce I think JupyterHub is still using jupyter-notebook rather than jupyter-server. Try using c.JupyterHub.NotebookApp.tornado_settings rather than c.JupyterHub.ServerApp.tornado_settings, or setting this in /etc/jupyter/jupyter_notebook_config.py.

[goekce]

Nice idea @lahwaacz ! I tried both Jupyterhub settings and:

/etc/jupyter/jupyter_notebook_config.d/nbgrader_jhub4.1_workaround.json

{
        "NotebookApp": {
                "tornado_settings": {
                        "headers": {"Content-Security-Policy": "frame-ancestors 'self' "}
                }
        }
}

They did not help however 🙁. I see no effect of these settings in the response headers. I believe something else is overwriting these settings in my case.

[lahwaacz]

@goekce Hmm, maybe also add the same to c.JupyterHub.tornado_settings in the jupyterhub_config.py

[goekce]

@lahwaacz

Changing the following line manually seems to change the response headers:

https://github.com/jupyterhub/jupyterhub/blob/168fa5c699fbb612d670a4e0df8a062198fb7558/jupyterhub/singleuser/extension.py#L649

So I believe Jupyterhub is using the ServerApp.

However the following lines do not have an effect:

c.ServerApp.tornado_settings = {                                                                                                                                                                                                            
        "headers":{"Content-Security-Policy": "frame-ancestors 'self' "}                                                                                                                                                                     
}                                                                                                                                                                                                                                            
c.JupyterHub.ServerApp.tornado_settings = ... # same

I probably should try with a clean installation.