JupyterHub 4.1.0 breaks Formgrader iFrame embed

[milandeepbassi]

Operating system

Ubuntu 22

nbgrader --version

0.9.1

jupyterhub --version (if used with JupyterHub)

4.1.0

jupyter notebook --version

7.1.2

Expected behavior

Actual behavior

Steps to reproduce the behavior

Created an instance with the The Littlest Jupyterhub that fetches JupyterHub 4.1.0 and installed NBGrader. Tried to access Formgrader and get the following error on browsers.

It is due to this update on Jupyterhub here: https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#mitigating-same-origin-deployments

The default Content-Security-Policy for single-user servers is

frame-ancestors: 'none'
which prohibits iframe embedding, but not pop-ups.

[lahwaacz]

Confirmed!

[Zercerium]

workaround if you are using jupyterhub in Kubernetes:
edit the helm chart and add the key extraFiles with the following content: pls replace the domain with your domain

singleuser:
  [...]
  extraFiles:
    server-config:
      mountPath: /etc/jupyter/jupyter_server_config.json
      data: {
        ServerApp: {
          tornado_settings: {'headers': {'Content-Security-Policy': "frame-ancestors self https://example.com;"}}
        }
      }

[lahwaacz]

You can have just "frame-ancestors self" without having to specify a domain. However, note that this obviously impacts security of the whole JupyterHub.

[goekce]

I would like to use the workaround until the problem is fixed in nbgrader. Jupyterhub is installed directly on my server OS and I modified jupyterhub_config.py as follows:

c.JupyterHub.ServerApp.tornado_settings = {                                                                                                                                                                                                  
        "headers":{"Content-Security-Policy": "frame-ancestors 'self' "}

Unfortunately the workaround did not work in my case. I don't see any change in the response header of GET /formgrader request.

[lahwaacz]

@goekce I think JupyterHub is still using jupyter-notebook rather than jupyter-server. Try using c.JupyterHub.NotebookApp.tornado_settings rather than c.JupyterHub.ServerApp.tornado_settings, or setting this in /etc/jupyter/jupyter_notebook_config.py.

[goekce]

Nice idea @lahwaacz ! I tried both Jupyterhub settings and:

/etc/jupyter/jupyter_notebook_config.d/nbgrader_jhub4.1_workaround.json

{
        "NotebookApp": {
                "tornado_settings": {
                        "headers": {"Content-Security-Policy": "frame-ancestors 'self' "}
                }
        }
}

They did not help however 🙁. I see no effect of these settings in the response headers. I believe something else is overwriting these settings in my case.

[lahwaacz]

@goekce Hmm, maybe also add the same to c.JupyterHub.tornado_settings in the jupyterhub_config.py

[goekce]

@lahwaacz

Changing the following line manually seems to change the response headers:

https://github.com/jupyterhub/jupyterhub/blob/168fa5c699fbb612d670a4e0df8a062198fb7558/jupyterhub/singleuser/extension.py#L649

So I believe Jupyterhub is using the ServerApp.

However the following lines do not have an effect:

c.ServerApp.tornado_settings = {                                                                                                                                                                                                            
        "headers":{"Content-Security-Policy": "frame-ancestors 'self' "}                                                                                                                                                                     
}                                                                                                                                                                                                                                            
c.JupyterHub.ServerApp.tornado_settings = ... # same

I probably should try with a clean installation.

[henry-goluss]

Hello!

I have the same issue #1910
@milandeepbassi @goekce did you find a solution ?

[goekce]

I did not have time since my last post dear @henry-goluss

[milandeepbassi]

@henry-goluss @goekce Likewise, I've been using the /user/XXXXXX/formgrader domain to access Formgrader. I couldn't get the above working.

[jeflem]

We may set the Content-Security-Policy header in nbgrader's BaseHandler class defined in

nbgrader/nbgrader/server_extensions/formgrader/base.py

Line 12 in ef44180

class BaseHandler(JupyterHandler):

Add a method

    def initialize(self):
        super().initialize()
        self.set_header("Content-Security-Policy", "frame-ancestors 'self'")

Then formgrader works as expected without lowering the hub's overall security (as far as I understand).

[henry-goluss]

Thank you for the answers but my knowledge is too poor to clearly understand what to do or try! I guess I will rollback to my old configuration.

[jeflem]

Yes, it's somewhat hacky. But if you want to try, here are the steps:

1. Find your installed Python packages. Usually somewhere in your home directory. For me it's /home/my_username/miniforge3/envs/my_env_name/lib/python3.12/site-packages/, depends on your package manager (conda, mamba, pip, whatever).
2. Got to the nbgrader subdirectory and open nbgrader/nbgrader/server_extensions/formgrader/base.py in a text editor.
3. Got to line 62 (or somewhere else between two method definitions) and paste the code

    def initialize(self):
        super().initialize()
        self.set_header("Content-Security-Policy", "frame-ancestors 'self'")

4. Save the file, restart your JupyterLab.
5. Now formgrader should work.

[lahwaacz]

@jeflem Can you open a pull request?

[jeflem]

Indeed, a PR would be good. I'll try till end of the week.

[brichet]

Solved by #1915