Set CSP frame-ancestors 'self' for nbgrader handlers

[jeflem]

This PR solves issue #1870 (formgrader does not show in JupyerLab tab due to JupyterHub >=4.1.0 security settings in HTTP headers).

Starting with JupyterHub 4.1.0 HTTP header

Content-Security-Policy:  frame-ancestors 'none'

is the default setting instead of

Content-Security-Policy: frame-ancestors 'self'

See Mitigating same-origin deployments for some background on this decision and CSP: frame-ancestors for details on the header.

The none header prevents loading of formgrader in a tab of JupyterLab.

The JupyterHub none setting overwrites the self setting of Jupyter Server running without JupyterHub. See

• jupyter_server/base/handlers.py#L101 for default setting self in Jupyter Server,
• jupyterhub/singleuser/extension.py#L658 for default setting none in JupyterHub's Jupyter Server extension,
• jupyterhub/singleuser/mixins.py#L688 for default setting none in JupyterHub's code for classic notebook.

To allow embedding of nbgrader's formgrader (and possibly other nbgrader components) without affecting security of other JupyterHub components this PR sets frame-ancestors to self for responses of nbgrader handlers only.

The class BaseHandler modified by this PR is a subclass of tornado.web.RequestHandler, which provides the set_header method.

[github-actions]

👈 Launch a Binder on branch jeflem/nbgrader/formgrader_jhub41

[brichet]

Thanks @jeflem, looks good to me

[brichet]

Bump CI

[brichet]

@jeflem I took the liberty to merge main is this PR to try to fix the check_release test, as mentioned at jupyter-server/jupyter_releaser#593 (comment)

[LukasMueller187]

Hi,
just wanted to check in here because we do have problems with clients using iPads (browser doesn't matter). Feedback html files are rejected because of the frame-ancestors directive.
I thought 0.9.4 would fix it but it doesn't.
Manually setting the header to 'self' again in (our case) apache does solve the issue, but as stated in the first post this is discouraged.

Any ideas?
edit: example error: Refused to load blob:https://<removed>/7a8d70b7-1c35-4f18-b24f-9c5280a28717 because it does not appear in the frame-ancestors directive of the Content Security Policy.

[brichet]

Does it only fail on IPads ?

Manually setting the header to 'self' again in (our case) apache does solve the issue, but as stated in the first post this is discouraged.

What do you mean by manually ? in the config ?
What is the "first post" you are mentioning ?

[LukasMueller187]

Yes it seems to only fail on iPads (and maybe iPhones), so I'm guessing it's an iOS issue.
I narrowed it down to being an issue with html files, as they are always served as a blob by JupyterLab. As stated in the error message, iOS seems to reject this blob. In my understanding, it shouldn't (like all desktop browsers do).

By manually I mean configuring apache to set headers to 'self' for frame-ancestors and by first post I mean the first post in this PR.

However, this doesn't seem to be an issue with nbgrader. But I don't know where to file the bug (Lab or Hub or webkit iOS itself).

[brichet]

Thanks for the clarification