From fb7ee6f348ffa8263f4fd458959b57c88744fe3c Mon Sep 17 00:00:00 2001 From: Min RK Date: Thu, 20 Jul 2017 10:43:28 +0200 Subject: [PATCH 1/2] avoid modifying settings['headers'] in add_default_headers Use a copy to avoid writing content security policy into settings['headers'], which can be a problem because APIHandlers have a stricter CSP than page handlers. If an API request is made before the first page request, pages will fail to load due to CSP violations. --- notebook/base/handlers.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py index 6be7a41ff..701115f33 100755 --- a/notebook/base/handlers.py +++ b/notebook/base/handlers.py @@ -68,13 +68,14 @@ class AuthenticatedHandler(web.RequestHandler): ]) def set_default_headers(self): - headers = self.settings.get('headers', {}) + headers = {} + headers.update(self.settings.get('headers', {})) if "Content-Security-Policy" not in headers: headers["Content-Security-Policy"] = self.content_security_policy - + # Allow for overriding headers - for header_name,value in headers.items() : + for header_name, value in headers.items(): try: self.set_header(header_name, value) except Exception as e: From f512880fcb1d2516e2074615679e7331cea9271f Mon Sep 17 00:00:00 2001 From: Min RK Date: Thu, 20 Jul 2017 10:51:08 +0200 Subject: [PATCH 2/2] allow overriding csp report uri via tornado settings --- notebook/base/handlers.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py index 701115f33..2e5e3dbc3 100755 --- a/notebook/base/handlers.py +++ b/notebook/base/handlers.py @@ -64,7 +64,7 @@ class AuthenticatedHandler(web.RequestHandler): return '; '.join([ "frame-ancestors 'self'", # Make sure the report-uri is relative to the base_url - "report-uri " + url_path_join(self.base_url, csp_report_uri), + "report-uri " + self.settings.get('csp_report_uri', url_path_join(self.base_url, csp_report_uri)), ]) def set_default_headers(self):