From 08f7189cbaeea7e4a4f83bfa69c9420b124ad633 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Wed, 11 Oct 2017 10:51:12 +0200
Subject: [PATCH] only allow CORS exception when auth is enabled

---
 notebook/base/handlers.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
index a33005eaf..3423e3675 100755
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@@ -530,11 +530,17 @@ class APIHandler(IPythonHandler):
         # if authorization header is requested,
         # that means the request is token-authenticated.
         # avoid browser-side rejection of the preflight request.
-        # only allow this exception if allow_origin has not been specified.
+        # only allow this exception if allow_origin has not been specified
+        # and notebook authentication is enabled.
+        # If the token is not valid, the 'real' request will still be rejected.
         requested_headers = self.request.headers.get('Access-Control-Request-Headers', '').split(',')
         if requested_headers and any(
             h.strip().lower() == 'authorization'
             for h in requested_headers
+        ) and (
+            # FIXME: it would be even better to check specifically for token-auth,
+            # but there is currently no API for this.
+            self.login_available
         ) and (
             self.allow_origin
             or self.allow_origin_pat