From 4a8af93b5bd92c02a2502cdc7281a9e7b90ac780 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Tue, 13 Dec 2016 14:57:57 +0100
Subject: [PATCH 01/11] enable tornado xsrf cookie

---
 notebook/base/handlers.py     | 19 +++++++++++++++++--
 notebook/notebookapp.py       |  1 +
 notebook/templates/login.html |  1 +
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
index 5ef320b13..88c882ecc 100755
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@@ -288,8 +288,12 @@ class IPythonHandler(AuthenticatedHandler):
         host = self.request.headers.get("Host")
         origin = self.request.headers.get("Origin")
 
-        # If no header is provided, assume it comes from a script/curl.
-        # We are only concerned with cross-site browser stuff here.
+        # If no header is provided, allow it.
+        # Origin can be None for:
+        # - same-origin (IE, Firefox)
+        # - Cross-site POST form (IE, Firefox)
+        # - Scripts
+        # The cross-site POST (XSRF) case is handled by tornado's xsrf_token
         if origin is None or host is None:
             return True
 
@@ -340,6 +344,8 @@ class IPythonHandler(AuthenticatedHandler):
             sys_info=sys_info,
             contents_js_source=self.contents_js_source,
             version_hash=self.version_hash,
+            ignore_minified_js=self.ignore_minified_js,
+            xsrf_form_html=self.xsrf_form_html,
             **self.jinja_template_vars
         )
     
@@ -403,6 +409,15 @@ class APIHandler(IPythonHandler):
             raise web.HTTPError(404)
         return super(APIHandler, self).prepare()
 
+    def check_xsrf_cookie(self):
+        """Check non-empty body on POST for XSRF
+
+        instead of checking the cookie for forms.
+        """
+        if self.request.method.upper() == 'POST' and not self.request.body:
+            # Require non-empty POST body for XSRF
+            raise web.HTTPError(400, "POST requests must have a JSON body. If no content is needed, use '{}'.")
+
     @property
     def content_security_policy(self):
         csp = '; '.join([
diff --git a/notebook/notebookapp.py b/notebook/notebookapp.py
index 7998c14d4..484ba7e2e 100755
--- a/notebook/notebookapp.py
+++ b/notebook/notebookapp.py
@@ -225,6 +225,7 @@ class NotebookWebApplication(web.Application):
             login_handler_class=jupyter_app.login_handler_class,
             logout_handler_class=jupyter_app.logout_handler_class,
             password=jupyter_app.password,
+            xsrf_cookies=True,
 
             # managers
             kernel_manager=kernel_manager,
diff --git a/notebook/templates/login.html b/notebook/templates/login.html
index df394db32..61aafaf17 100644
--- a/notebook/templates/login.html
+++ b/notebook/templates/login.html
@@ -22,6 +22,7 @@
           <div class="center-nav">
             <p class="navbar-text nav">Password{% if token_available %} or token{% endif %}:</p>
             <form action="{{base_url}}login?next={{next}}" method="post" class="navbar-form pull-left">
+              {{ xsrf_form_html() | safe }}
               <input type="password" name="password" id="password_input" class="form-control">
               <button type="submit" id="login_submit">Log in</button>
             </form>

From 70e79a0ad69f02d46abed57e007ce5ef7f79319b Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Tue, 13 Dec 2016 15:54:41 +0100
Subject: [PATCH 02/11] add token_authenticated property

indicates if a token is used for authentication, in which case xsrf checks should be skipped.
---
 notebook/auth/login.py    | 78 +++++++++++++++++++++++++--------------
 notebook/base/handlers.py | 30 +++++++++------
 2 files changed, 69 insertions(+), 39 deletions(-)

diff --git a/notebook/auth/login.py b/notebook/auth/login.py
index ee260b7da..3511058ef 100644
--- a/notebook/auth/login.py
+++ b/notebook/auth/login.py
@@ -97,7 +97,7 @@ class LoginHandler(IPythonHandler):
     auth_header_pat = re.compile('token\s+(.+)', re.IGNORECASE)
 
     @classmethod
-    def get_user_token(cls, handler):
+    def get_token(cls, handler):
         """Get the user token from a request
 
         Default:
@@ -120,11 +120,22 @@ class LoginHandler(IPythonHandler):
         
         Origin check should be skipped for token-authenticated requests.
         """
+        return not cls.is_token_authenticated(handler)
+    
+    @classmethod
+    def is_token_authenticated(cls, handler):
+        """Check if the handler has been authenticated by a token.
+        
+        This is used to signal certain things, such as:
+        
+        - permit access to REST API
+        - xsrf protection
+        - skip origin-checks for scripts
+        """
         if getattr(handler, '_user_id', None) is None:
             # ensure get_user has been called, so we know if we're token-authenticated
             handler.get_current_user()
-        token_authenticated = getattr(handler, '_token_authenticated', False)
-        return not token_authenticated
+        return getattr(handler, '_token_authenticated', False)
 
     @classmethod
     def get_user(cls, handler):
@@ -136,40 +147,51 @@ class LoginHandler(IPythonHandler):
         # called on LoginHandler itself.
         if getattr(handler, '_user_id', None):
             return handler._user_id
-        user_id = handler.get_secure_cookie(handler.cookie_name)
-        if not user_id:
+        user_id = cls.get_user_token(handler)
+        if user_id is None:
+            user_id = handler.get_secure_cookie(handler.cookie_name)
+        else:
+            cls.set_login_cookie(handler, user_id)
+            # Record that we've been authenticated with a token.
+            # Used in should_check_origin above.
+            handler._token_authenticated = True
+        if user_id is None:
             # prevent extra Invalid cookie sig warnings:
             handler.clear_login_cookie()
-            token = handler.token
-            if not token and not handler.login_available:
+            if not handler.login_available:
                 # Completely insecure! No authentication at all.
                 # No need to warn here, though; validate_security will have already done that.
-                return 'anonymous'
-            if token:
-                # check login token from URL argument or Authorization header
-                user_token = cls.get_user_token(handler)
-                one_time_token = handler.one_time_token
-                authenticated = False
-                if user_token == token:
-                    # token-authenticated, set the login cookie
-                    handler.log.info("Accepting token-authenticated connection from %s", handler.request.remote_ip)
-                    authenticated = True
-                elif one_time_token and user_token == one_time_token:
-                    # one-time-token-authenticated, only allow this token once
-                    handler.settings.pop('one_time_token', None)
-                    handler.log.info("Accepting one-time-token-authenticated connection from %s", handler.request.remote_ip)
-                    authenticated = True
-                if authenticated:
-                    user_id = uuid.uuid4().hex
-                    cls.set_login_cookie(handler, user_id)
-                    # Record that we've been authenticated with a token.
-                    # Used in should_check_origin above.
-                    handler._token_authenticated = True
+                user_id = 'anonymous'
 
         # cache value for future retrievals on the same request
         handler._user_id = user_id
         return user_id
 
+    @classmethod
+    def get_user_token(cls, handler):
+        """Identify the user based on a token in the URL or Authorization header"""
+        token = handler.token
+        if not token:
+            return
+        # check login token from URL argument or Authorization header
+        user_token = cls.get_token(handler)
+        one_time_token = handler.one_time_token
+        authenticated = False
+        if user_token == token:
+            # token-authenticated, set the login cookie
+            handler.log.debug("Accepting token-authenticated connection from %s", handler.request.remote_ip)
+            authenticated = True
+        elif one_time_token and user_token == one_time_token:
+            # one-time-token-authenticated, only allow this token once
+            handler.settings.pop('one_time_token', None)
+            handler.log.info("Accepting one-time-token-authenticated connection from %s", handler.request.remote_ip)
+            authenticated = True
+
+        if authenticated:
+            return uuid.uuid4().hex
+        else:
+            return None
+
 
     @classmethod
     def validate_security(cls, app, ssl_options=None):
diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
index 88c882ecc..7edc4099d 100755
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@@ -48,7 +48,7 @@ def log():
 
 class AuthenticatedHandler(web.RequestHandler):
     """A RequestHandler with an authenticated user."""
-    
+
     @property
     def content_security_policy(self):
         """The default Content-Security-Policy header
@@ -95,6 +95,13 @@ class AuthenticatedHandler(web.RequestHandler):
             return False
         return not self.login_handler.should_check_origin(self)
 
+    @property
+    def token_authenticated(self):
+        """Have I been authenticated with a token?"""
+        if self.login_handler is None or not hasattr(self.login_handler, 'is_token_authenticated'):
+            return False
+        return self.login_handler.is_token_authenticated(self)
+
     @property
     def cookie_name(self):
         default_cookie_name = non_alphanum.sub('-', 'username-{}'.format(
@@ -317,7 +324,15 @@ class IPythonHandler(AuthenticatedHandler):
                 self.request.path, origin, host,
             )
         return allow
-    
+
+    def check_xsrf_cookie(self):
+        """Bypass xsrf checks when token-authenticated"""
+        if self.token_authenticated:
+            # Token-authenticated requests do not need additional XSRF-check
+            # Servers without authentication are vulnerable to XSRF
+            return
+        return super(IPythonHandler, self).check_xsrf_cookie()
+
     #---------------------------------------------------------------
     # template rendering
     #---------------------------------------------------------------
@@ -346,6 +361,8 @@ class IPythonHandler(AuthenticatedHandler):
             version_hash=self.version_hash,
             ignore_minified_js=self.ignore_minified_js,
             xsrf_form_html=self.xsrf_form_html,
+            token=self.token,
+            xsrf_token=self.xsrf_token,
             **self.jinja_template_vars
         )
     
@@ -409,15 +426,6 @@ class APIHandler(IPythonHandler):
             raise web.HTTPError(404)
         return super(APIHandler, self).prepare()
 
-    def check_xsrf_cookie(self):
-        """Check non-empty body on POST for XSRF
-
-        instead of checking the cookie for forms.
-        """
-        if self.request.method.upper() == 'POST' and not self.request.body:
-            # Require non-empty POST body for XSRF
-            raise web.HTTPError(400, "POST requests must have a JSON body. If no content is needed, use '{}'.")
-
     @property
     def content_security_policy(self):
         csp = '; '.join([

From 9478a6b82be4a21663c6ae2d85eb35722eab18b6 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Tue, 13 Dec 2016 16:58:58 +0100
Subject: [PATCH 03/11] use tornado xsrf token in API

- Cookie-authenticated API requests must use set X-XSRFToken header
- add utils.ajax for making ajax requests, adding xsrf header from default location
---
 notebook/base/handlers.py                    |  2 +-
 notebook/static/base/js/utils.js             | 32 +++++++++++++++++---
 notebook/static/services/kernels/kernel.js   | 12 ++++----
 notebook/static/services/sessions/session.js | 10 +++---
 notebook/static/tree/js/notebooklist.js      |  2 +-
 notebook/static/tree/js/sessionlist.js       |  2 +-
 notebook/static/tree/js/terminallist.js      |  6 ++--
 notebook/templates/page.html                 |  9 +++++-
 8 files changed, 53 insertions(+), 22 deletions(-)

diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
index 7edc4099d..1dd376438 100755
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@@ -362,7 +362,7 @@ class IPythonHandler(AuthenticatedHandler):
             ignore_minified_js=self.ignore_minified_js,
             xsrf_form_html=self.xsrf_form_html,
             token=self.token,
-            xsrf_token=self.xsrf_token,
+            xsrf_token=self.xsrf_token.decode('utf8'),
             **self.jinja_template_vars
         )
     
diff --git a/notebook/static/base/js/utils.js b/notebook/static/base/js/utils.js
index 46911233b..1089d40c6 100644
--- a/notebook/static/base/js/utils.js
+++ b/notebook/static/base/js/utils.js
@@ -603,7 +603,7 @@ define([
     
     var to_absolute_cursor_pos = function (cm, cursor) {
         console.warn('`utils.to_absolute_cursor_pos(cm, pos)` is deprecated. Use `cm.indexFromPos(cursor)`');
-        return cm.indexFromPos(cusrsor);
+        return cm.indexFromPos(cursor);
     };
     
     var from_absolute_cursor_pos = function (cm, cursor_pos) {
@@ -752,6 +752,29 @@ define([
         return wrapped_error;
     };
     
+    var ajax = function (url, settings) {
+        // like $.ajax, but ensure Authorization header is set
+        settings = _add_auth_header(settings);
+        return $.ajax(url, settings);
+    };
+
+    var _add_auth_header = function (settings) {
+        /**
+         * Adds auth header to jquery ajax settings
+         */
+        settings = settings || {};
+        if (!settings.headers) {
+            settings.headers = {};
+        }
+        if (!settings.headers.Authorization) {
+            var xsrf_token = get_body_data('xsrfToken');
+            if (xsrf_token) {
+                settings.headers['X-XSRFToken'] = xsrf_token;
+            }
+        }
+        return settings;
+    };
+
     var promising_ajax = function(url, settings) {
         /**
          * Like $.ajax, but returning an ES6 promise. success and error settings
@@ -766,7 +789,7 @@ define([
                 log_ajax_error(jqXHR, status, error);
                 reject(wrap_ajax_error(jqXHR, status, error));
             };
-            $.ajax(url, settings);
+            ajax(url, settings);
         });
     };
 
@@ -1010,10 +1033,11 @@ define([
         is_or_has : is_or_has,
         is_focused : is_focused,
         mergeopt: mergeopt,
-        ajax_error_msg : ajax_error_msg,
-        log_ajax_error : log_ajax_error,
         requireCodeMirrorMode : requireCodeMirrorMode,
         XHR_ERROR : XHR_ERROR,
+        ajax : ajax,
+        ajax_error_msg : ajax_error_msg,
+        log_ajax_error : log_ajax_error,
         wrap_ajax_error : wrap_ajax_error,
         promising_ajax : promising_ajax,
         WrappedError: WrappedError,
diff --git a/notebook/static/services/kernels/kernel.js b/notebook/static/services/kernels/kernel.js
index 1b609dd94..a5942d87d 100644
--- a/notebook/static/services/kernels/kernel.js
+++ b/notebook/static/services/kernels/kernel.js
@@ -152,7 +152,7 @@ define([
      * @param {function} [error] - functon executed on ajax error
      */
     Kernel.prototype.list = function (success, error) {
-        $.ajax(this.kernel_service_url, {
+        utils.ajax(this.kernel_service_url, {
             processData: false,
             cache: false,
             type: "GET",
@@ -194,7 +194,7 @@ define([
             }
         };
 
-        $.ajax(url, {
+        utils.ajax(url, {
             processData: false,
             cache: false,
             type: "POST",
@@ -218,7 +218,7 @@ define([
      * @param {function} [error] - functon executed on ajax error
      */
     Kernel.prototype.get_info = function (success, error) {
-        $.ajax(this.kernel_url, {
+        utils.ajax(this.kernel_url, {
             processData: false,
             cache: false,
             type: "GET",
@@ -244,7 +244,7 @@ define([
     Kernel.prototype.kill = function (success, error) {
         this.events.trigger('kernel_killed.Kernel', {kernel: this});
         this._kernel_dead();
-        $.ajax(this.kernel_url, {
+        utils.ajax(this.kernel_url, {
             processData: false,
             cache: false,
             type: "DELETE",
@@ -278,7 +278,7 @@ define([
         };
 
         var url = utils.url_path_join(this.kernel_url, 'interrupt');
-        $.ajax(url, {
+        utils.ajax(url, {
             processData: false,
             cache: false,
             type: "POST",
@@ -323,7 +323,7 @@ define([
         };
 
         var url = utils.url_path_join(this.kernel_url, 'restart');
-        $.ajax(url, {
+        utils.ajax(url, {
             processData: false,
             cache: false,
             type: "POST",
diff --git a/notebook/static/services/sessions/session.js b/notebook/static/services/sessions/session.js
index 4224c0ec1..ade904f1f 100644
--- a/notebook/static/services/sessions/session.js
+++ b/notebook/static/services/sessions/session.js
@@ -76,7 +76,7 @@ define([
      * @param {function} [error] - functon executed on ajax error
      */
     Session.prototype.list = function (success, error) {
-        $.ajax(this.session_service_url, {
+        utils.ajax(this.session_service_url, {
             processData: false,
             cache: false,
             type: "GET",
@@ -117,7 +117,7 @@ define([
             }
         };
 
-        $.ajax(this.session_service_url, {
+        utils.ajax(this.session_service_url, {
             processData: false,
             cache: false,
             type: "POST",
@@ -139,7 +139,7 @@ define([
      * @param {function} [error] - functon executed on ajax error
      */
     Session.prototype.get_info = function (success, error) {
-        $.ajax(this.session_url, {
+        utils.ajax(this.session_url, {
             processData: false,
             cache: false,
             type: "GET",
@@ -165,7 +165,7 @@ define([
             this.notebook_model.path = path;
         }
 
-        $.ajax(this.session_url, {
+        utils.ajax(this.session_url, {
             processData: false,
             cache: false,
             type: "PATCH",
@@ -192,7 +192,7 @@ define([
             this.kernel._kernel_dead();
         }
 
-        $.ajax(this.session_url, {
+        utils.ajax(this.session_url, {
             processData: false,
             cache: false,
             type: "DELETE",
diff --git a/notebook/static/tree/js/notebooklist.js b/notebook/static/tree/js/notebooklist.js
index 4019e435a..dfe08b3e5 100644
--- a/notebook/static/tree/js/notebooklist.js
+++ b/notebook/static/tree/js/notebooklist.js
@@ -734,7 +734,7 @@ define([
                 'api/sessions',
                 encodeURIComponent(session.id)
             );
-            $.ajax(url, settings);
+            utils.ajax(url, settings);
         }
     };
 
diff --git a/notebook/static/tree/js/sessionlist.js b/notebook/static/tree/js/sessionlist.js
index 001eb9f04..3c664193b 100644
--- a/notebook/static/tree/js/sessionlist.js
+++ b/notebook/static/tree/js/sessionlist.js
@@ -62,7 +62,7 @@ define([
             error : utils.log_ajax_error,
         };
         var url = utils.url_path_join(this.base_url, 'api/sessions');
-        $.ajax(url, settings);
+        utils.ajax(url, settings);
     };
 
     SesssionList.prototype.sessions_loaded = function(data){
diff --git a/notebook/static/tree/js/terminallist.js b/notebook/static/tree/js/terminallist.js
index c8e8fcf1c..975aad906 100644
--- a/notebook/static/tree/js/terminallist.js
+++ b/notebook/static/tree/js/terminallist.js
@@ -60,12 +60,12 @@ define([
             this.base_url,
             'api/terminals'
         );
-        $.ajax(url, settings);
+        utils.ajax(url, settings);
     };
     
     TerminalList.prototype.load_terminals = function() {
         var url = utils.url_path_join(this.base_url, 'api/terminals');
-        $.ajax(url, {
+        utils.ajax(url, {
             type: "GET",
             cache: false,
             dataType: "json",
@@ -113,7 +113,7 @@ define([
                 };
                 var url = utils.url_path_join(that.base_url, 'api/terminals',
                     utils.encode_uri_components(name));
-                $.ajax(url, settings);
+                utils.ajax(url, settings);
                 return false;
             });
         item.find(".item_buttons").text("").append(shutdown_button);
diff --git a/notebook/templates/page.html b/notebook/templates/page.html
index e96aac227..9da14665d 100644
--- a/notebook/templates/page.html
+++ b/notebook/templates/page.html
@@ -197,7 +197,14 @@
 
 </head>
 
-<body class="{% block bodyclasses %}{% endblock %}" {% block params %}{% endblock %}>
+<body class="{% block bodyclasses %}{% endblock %}"
+ {% block params %}
+  data-xsrf-token="{{xsrf_token | urlencode}}"
+  {% if logged_in and token %}
+    data-jupyter-api-token="{{token | urlencode}}"
+  {% endif %}
+ {% endblock params %}
+>
 
 <noscript>
     <div id='noscript'>

From 2da82f909cbb46a09fa511fc21f760cacfe21a00 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Tue, 13 Dec 2016 17:45:11 +0100
Subject: [PATCH 04/11] get xsrf from cookie, not body data

so that it can't be skimmed with a GET of the page
---
 notebook/static/base/js/utils.js | 8 +++++++-
 notebook/templates/page.html     | 1 -
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/notebook/static/base/js/utils.js b/notebook/static/base/js/utils.js
index 1089d40c6..48803365b 100644
--- a/notebook/static/base/js/utils.js
+++ b/notebook/static/base/js/utils.js
@@ -757,6 +757,12 @@ define([
         settings = _add_auth_header(settings);
         return $.ajax(url, settings);
     };
+    
+    var _get_cookie = function (name) {
+        // from tornado docs: http://www.tornadoweb.org/en/stable/guide/security.html
+        var r = document.cookie.match("\\b" + name + "=([^;]*)\\b");
+        return r ? r[1] : undefined;
+    }
 
     var _add_auth_header = function (settings) {
         /**
@@ -767,7 +773,7 @@ define([
             settings.headers = {};
         }
         if (!settings.headers.Authorization) {
-            var xsrf_token = get_body_data('xsrfToken');
+            var xsrf_token = _get_cookie('_xsrf');
             if (xsrf_token) {
                 settings.headers['X-XSRFToken'] = xsrf_token;
             }
diff --git a/notebook/templates/page.html b/notebook/templates/page.html
index 9da14665d..5fb920a5d 100644
--- a/notebook/templates/page.html
+++ b/notebook/templates/page.html
@@ -199,7 +199,6 @@
 
 <body class="{% block bodyclasses %}{% endblock %}"
  {% block params %}
-  data-xsrf-token="{{xsrf_token | urlencode}}"
   {% if logged_in and token %}
     data-jupyter-api-token="{{token | urlencode}}"
   {% endif %}

From 8e141df8901a8771008097f2e67ef87f3d407115 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Wed, 14 Dec 2016 17:08:27 +0100
Subject: [PATCH 05/11] run Python tests with a token

exercises token auth
---
 .../tests/test_nbconvert_handlers.py          | 16 ++++-----
 .../services/config/tests/test_config_api.py  | 10 +++---
 .../contents/tests/test_contents_api.py       | 10 +++---
 .../kernels/tests/test_kernels_api.py         | 10 +++---
 .../kernelspecs/tests/test_kernelspecs_api.py | 10 +++---
 .../nbconvert/tests/test_nbconvert_api.py     | 10 +++---
 .../sessions/tests/test_sessions_api.py       | 18 +++++-----
 notebook/tests/launchnotebook.py              | 22 ++++++++++--
 notebook/tests/test_files.py                  | 34 ++++++++-----------
 notebook/tree/tests/test_tree_handler.py      |  4 +--
 10 files changed, 78 insertions(+), 66 deletions(-)

diff --git a/notebook/nbconvert/tests/test_nbconvert_handlers.py b/notebook/nbconvert/tests/test_nbconvert_handlers.py
index 23d0aada7..8b36932c3 100644
--- a/notebook/nbconvert/tests/test_nbconvert_handlers.py
+++ b/notebook/nbconvert/tests/test_nbconvert_handlers.py
@@ -26,12 +26,12 @@ except ImportError: #PY2
 
 class NbconvertAPI(object):
     """Wrapper for nbconvert API calls."""
-    def __init__(self, base_url):
-        self.base_url = base_url
+    def __init__(self, request):
+        self.request = request
 
     def _req(self, verb, path, body=None, params=None):
-        response = requests.request(verb,
-                url_path_join(self.base_url, 'nbconvert', path),
+        response = self.request(verb,
+                url_path_join('nbconvert', path),
                 data=body, params=params,
         )
         response.raise_for_status()
@@ -84,7 +84,7 @@ class APITest(NotebookTestBase):
                      encoding='utf-8') as f:
             write(nb, f, version=4)
 
-        self.nbconvert_api = NbconvertAPI(self.base_url())
+        self.nbconvert_api = NbconvertAPI(self.request)
 
     @onlyif_cmds_exist('pandoc')
     def test_from_file(self):
@@ -118,8 +118,7 @@ class APITest(NotebookTestBase):
 
     @onlyif_cmds_exist('pandoc')
     def test_from_post(self):
-        nbmodel_url = url_path_join(self.base_url(), 'api/contents/foo/testnb.ipynb')
-        nbmodel = requests.get(nbmodel_url).json()
+        nbmodel = self.request('GET', 'api/contents/foo/testnb.ipynb').json()
         
         r = self.nbconvert_api.from_post(format='html', nbmodel=nbmodel)
         self.assertEqual(r.status_code, 200)
@@ -133,8 +132,7 @@ class APITest(NotebookTestBase):
 
     @onlyif_cmds_exist('pandoc')
     def test_from_post_zip(self):
-        nbmodel_url = url_path_join(self.base_url(), 'api/contents/foo/testnb.ipynb')
-        nbmodel = requests.get(nbmodel_url).json()
+        nbmodel = self.request('GET', 'api/contents/foo/testnb.ipynb').json()
 
         r = self.nbconvert_api.from_post(format='latex', nbmodel=nbmodel)
         self.assertIn(u'application/zip', r.headers['Content-Type'])
diff --git a/notebook/services/config/tests/test_config_api.py b/notebook/services/config/tests/test_config_api.py
index a7778d1fa..28b931b17 100644
--- a/notebook/services/config/tests/test_config_api.py
+++ b/notebook/services/config/tests/test_config_api.py
@@ -11,12 +11,12 @@ from notebook.tests.launchnotebook import NotebookTestBase
 
 class ConfigAPI(object):
     """Wrapper for notebook API calls."""
-    def __init__(self, base_url):
-        self.base_url = base_url
+    def __init__(self, request):
+        self.request = request
 
     def _req(self, verb, section, body=None):
-        response = requests.request(verb,
-                url_path_join(self.base_url, 'api/config', section),
+        response = self.request(verb,
+                url_path_join('api/config', section),
                 data=body,
         )
         response.raise_for_status()
@@ -34,7 +34,7 @@ class ConfigAPI(object):
 class APITest(NotebookTestBase):
     """Test the config web service API"""
     def setUp(self):
-        self.config_api = ConfigAPI(self.base_url())
+        self.config_api = ConfigAPI(self.request)
 
     def test_create_retrieve_config(self):
         sample = {'foo': 'bar', 'baz': 73}
diff --git a/notebook/services/contents/tests/test_contents_api.py b/notebook/services/contents/tests/test_contents_api.py
index a7471cf3d..2227a4461 100644
--- a/notebook/services/contents/tests/test_contents_api.py
+++ b/notebook/services/contents/tests/test_contents_api.py
@@ -50,12 +50,12 @@ def dirs_only(dir_model):
 
 class API(object):
     """Wrapper for contents API calls."""
-    def __init__(self, base_url):
-        self.base_url = base_url
+    def __init__(self, request):
+        self.request = request
 
     def _req(self, verb, path, body=None, params=None):
-        response = requests.request(verb,
-                url_path_join(self.base_url, 'api/contents', path),
+        response = self.request(verb,
+                url_path_join('api/contents', path),
                 data=body, params=params,
         )
         response.raise_for_status()
@@ -220,7 +220,7 @@ class APITest(NotebookTestBase):
             self.make_blob(blobname, blob)
             self.addCleanup(partial(self.delete_file, blobname))
 
-        self.api = API(self.base_url())
+        self.api = API(self.request)
 
     def test_list_notebooks(self):
         nbs = notebooks_only(self.api.list().json())
diff --git a/notebook/services/kernels/tests/test_kernels_api.py b/notebook/services/kernels/tests/test_kernels_api.py
index 380228b00..ee35b9731 100644
--- a/notebook/services/kernels/tests/test_kernels_api.py
+++ b/notebook/services/kernels/tests/test_kernels_api.py
@@ -10,12 +10,12 @@ from notebook.tests.launchnotebook import NotebookTestBase, assert_http_error
 
 class KernelAPI(object):
     """Wrapper for kernel REST API requests"""
-    def __init__(self, base_url):
-        self.base_url = base_url
+    def __init__(self, request):
+        self.request = request
 
     def _req(self, verb, path, body=None):
-        response = requests.request(verb,
-                url_path_join(self.base_url, 'api/kernels', path), data=body)
+        response = self.request(verb,
+                url_path_join('api/kernels', path), data=body)
 
         if 400 <= response.status_code < 600:
             try:
@@ -48,7 +48,7 @@ class KernelAPI(object):
 class KernelAPITest(NotebookTestBase):
     """Test the kernels web service API"""
     def setUp(self):
-        self.kern_api = KernelAPI(self.base_url())
+        self.kern_api = KernelAPI(self.request)
 
     def tearDown(self):
         for k in self.kern_api.list().json():
diff --git a/notebook/services/kernelspecs/tests/test_kernelspecs_api.py b/notebook/services/kernelspecs/tests/test_kernelspecs_api.py
index de65743ed..62c7b4030 100644
--- a/notebook/services/kernelspecs/tests/test_kernelspecs_api.py
+++ b/notebook/services/kernelspecs/tests/test_kernelspecs_api.py
@@ -26,12 +26,12 @@ some_resource = u"The very model of a modern major general"
 
 class KernelSpecAPI(object):
     """Wrapper for notebook API calls."""
-    def __init__(self, base_url):
-        self.base_url = base_url
+    def __init__(self, request):
+        self.request = request
 
     def _req(self, verb, path, body=None):
-        response = requests.request(verb,
-                url_path_join(self.base_url, path),
+        response = self.request(verb,
+                path,
                 data=body,
         )
         response.raise_for_status()
@@ -52,7 +52,7 @@ class APITest(NotebookTestBase):
     def setUp(self):
         self.create_spec('sample')
         self.create_spec('sample 2')
-        self.ks_api = KernelSpecAPI(self.base_url())
+        self.ks_api = KernelSpecAPI(self.request)
 
     def create_spec(self, name):
         sample_kernel_dir = pjoin(self.data_dir.name, 'kernels', name)
diff --git a/notebook/services/nbconvert/tests/test_nbconvert_api.py b/notebook/services/nbconvert/tests/test_nbconvert_api.py
index d33c53767..d6ef9d2ca 100644
--- a/notebook/services/nbconvert/tests/test_nbconvert_api.py
+++ b/notebook/services/nbconvert/tests/test_nbconvert_api.py
@@ -5,12 +5,12 @@ from notebook.tests.launchnotebook import NotebookTestBase
 
 class NbconvertAPI(object):
     """Wrapper for nbconvert API calls."""
-    def __init__(self, base_url):
-        self.base_url = base_url
+    def __init__(self, request):
+        self.request = request
 
     def _req(self, verb, path, body=None, params=None):
-        response = requests.request(verb,
-                url_path_join(self.base_url, 'api/nbconvert', path),
+        response = self.request(verb,
+                url_path_join('api/nbconvert', path),
                 data=body, params=params,
         )
         response.raise_for_status()
@@ -21,7 +21,7 @@ class NbconvertAPI(object):
 
 class APITest(NotebookTestBase):
     def setUp(self):
-        self.nbconvert_api = NbconvertAPI(self.base_url())
+        self.nbconvert_api = NbconvertAPI(self.request)
 
     def test_list_formats(self):
         formats = self.nbconvert_api.list_formats().json()
diff --git a/notebook/services/sessions/tests/test_sessions_api.py b/notebook/services/sessions/tests/test_sessions_api.py
index 1d19bc4b2..dba1417d6 100644
--- a/notebook/services/sessions/tests/test_sessions_api.py
+++ b/notebook/services/sessions/tests/test_sessions_api.py
@@ -18,12 +18,12 @@ from nbformat import write
 
 class SessionAPI(object):
     """Wrapper for notebook API calls."""
-    def __init__(self, base_url):
-        self.base_url = base_url
+    def __init__(self, request):
+        self.request = request
 
     def _req(self, verb, path, body=None):
-        response = requests.request(verb,
-                url_path_join(self.base_url, 'api/sessions', path), data=body)
+        response = self.request(verb,
+                url_path_join('api/sessions', path), data=body)
 
         if 400 <= response.status_code < 600:
             try:
@@ -95,7 +95,7 @@ class SessionAPITest(NotebookTestBase):
             nb = new_notebook()
             write(nb, f, version=4)
 
-        self.sess_api = SessionAPI(self.base_url())
+        self.sess_api = SessionAPI(self.request)
 
         @self.addCleanup
         def cleanup_sessions():
@@ -154,7 +154,7 @@ class SessionAPITest(NotebookTestBase):
 
     def test_create_with_kernel_id(self):
         # create a new kernel
-        r = requests.post(url_path_join(self.base_url(), 'api/kernels'))
+        r = self.request('POST', 'api/kernels')
         r.raise_for_status()
         kernel = r.json()
 
@@ -222,7 +222,7 @@ class SessionAPITest(NotebookTestBase):
         self.assertNotEqual(after['kernel']['id'], before['kernel']['id'])
 
         # check kernel list, to be sure previous kernel was cleaned up
-        r = requests.get(url_path_join(self.base_url(), 'api/kernels'))
+        r = self.request('GET', 'api/kernels')
         r.raise_for_status()
         kernel_list = r.json()
         self.assertEqual(kernel_list, [after['kernel']])
@@ -232,7 +232,7 @@ class SessionAPITest(NotebookTestBase):
         sid = before['id']
 
         # create a new kernel
-        r = requests.post(url_path_join(self.base_url(), 'api/kernels'))
+        r = self.request('POST', 'api/kernels')
         r.raise_for_status()
         kernel = r.json()
 
@@ -245,7 +245,7 @@ class SessionAPITest(NotebookTestBase):
         self.assertEqual(after['kernel']['id'], kernel['id'])
 
         # check kernel list, to be sure previous kernel was cleaned up
-        r = requests.get(url_path_join(self.base_url(), 'api/kernels'))
+        r = self.request('GET', 'api/kernels')
         r.raise_for_status()
         kernel_list = r.json()
         self.assertEqual(kernel_list, [kernel])
diff --git a/notebook/tests/launchnotebook.py b/notebook/tests/launchnotebook.py
index ec8ec9aa6..ff943d41c 100644
--- a/notebook/tests/launchnotebook.py
+++ b/notebook/tests/launchnotebook.py
@@ -2,8 +2,8 @@
 
 from __future__ import print_function
 
+from binascii import hexlify
 import os
-import sys
 import time
 import requests
 from contextlib import contextmanager
@@ -23,6 +23,7 @@ import zmq
 import jupyter_core.paths
 from traitlets.config import Config
 from ..notebookapp import NotebookApp
+from ..utils import url_path_join
 from ipython_genutils.tempdir import TemporaryDirectory
 
 MAX_WAITTIME = 30   # seconds to wait for notebook server to start
@@ -68,6 +69,20 @@ class NotebookTestBase(TestCase):
         cls.notebook_thread.join(timeout=MAX_WAITTIME)
         if cls.notebook_thread.is_alive():
             raise TimeoutError("Undead notebook server")
+    
+    @classmethod
+    def request(self, verb, path, **kwargs):
+        """Send a request to my server
+        
+        with authentication and everything.
+        """
+        headers = kwargs.setdefault('headers', {})
+        # kwargs.setdefault('allow_redirects', False)
+        headers.setdefault('Authorization', 'token %s' % self.token)
+        response = requests.request(verb,
+            url_path_join(self.base_url(), path),
+            **kwargs)
+        return response
 
     @classmethod
     def setup_class(cls):
@@ -86,9 +101,12 @@ class NotebookTestBase(TestCase):
         cls.data_dir = data_dir
         cls.runtime_dir = TemporaryDirectory()
         cls.notebook_dir = TemporaryDirectory()
+
         config = cls.config or Config()
         config.NotebookNotary.db_file = ':memory:'
 
+        cls.token = hexlify(os.urandom(4)).decode('ascii')
+
         started = Event()
         def start_thread():
             app = cls.notebook = NotebookApp(
@@ -102,7 +120,7 @@ class NotebookTestBase(TestCase):
                 base_url=cls.url_prefix,
                 config=config,
                 allow_root=True,
-                token='',
+                token=cls.token,
             )
             # don't register signal handler during tests
             app.init_signal = lambda : None
diff --git a/notebook/tests/test_files.py b/notebook/tests/test_files.py
index 4c33ee345..96c6bf93a 100644
--- a/notebook/tests/test_files.py
+++ b/notebook/tests/test_files.py
@@ -41,27 +41,25 @@ class FilesTest(NotebookTestBase):
                 f.write('foo')
             with open(pjoin(path, '.foo'), 'w') as f:
                 f.write('.foo')
-        url = self.base_url()
         
         for d in not_hidden:
             path = pjoin(nbdir, d.replace('/', os.sep))
-            r = requests.get(url_path_join(url, 'files', d, 'foo'))
+            r = self.request('GET', url_path_join('files', d, 'foo'))
             r.raise_for_status()
             self.assertEqual(r.text, 'foo')
-            r = requests.get(url_path_join(url, 'files', d, '.foo'))
+            r = self.request('GET', url_path_join('files', d, '.foo'))
             self.assertEqual(r.status_code, 404)
             
         for d in hidden:
             path = pjoin(nbdir, d.replace('/', os.sep))
             for foo in ('foo', '.foo'):
-                r = requests.get(url_path_join(url, 'files', d, foo))
+                r = self.request('GET', url_path_join('files', d, foo))
                 self.assertEqual(r.status_code, 404)
     
     def test_contents_manager(self):
         "make sure ContentsManager returns right files (ipynb, bin, txt)."
 
         nbdir = self.notebook_dir.name
-        base = self.base_url()
 
         nb = new_notebook(
             cells=[
@@ -84,35 +82,34 @@ class FilesTest(NotebookTestBase):
             f.write(u'foobar')
             f.close()
 
-        r = requests.get(url_path_join(base, 'files', 'testnb.ipynb'))
+        r = self.request('GET', 'files/testnb.ipynb')
         self.assertEqual(r.status_code, 200)
         self.assertIn('print(2*6)', r.text)
         json.loads(r.text)
 
-        r = requests.get(url_path_join(base, 'files', 'test.bin'))
+        r = self.request('GET', 'files/test.bin')
         self.assertEqual(r.status_code, 200)
         self.assertEqual(r.headers['content-type'], 'application/octet-stream')
         self.assertEqual(r.content[:1], b'\xff')
         self.assertEqual(len(r.content), 6)
 
-        r = requests.get(url_path_join(base, 'files', 'test.txt'))
+        r = self.request('GET', 'files/test.txt')
         self.assertEqual(r.status_code, 200)
         self.assertEqual(r.headers['content-type'], 'text/plain')
         self.assertEqual(r.text, 'foobar')
     
     def test_download(self):
         nbdir = self.notebook_dir.name
-        base = self.base_url()
         
         text = 'hello'
         with open(pjoin(nbdir, 'test.txt'), 'w') as f:
             f.write(text)
         
-        r = requests.get(url_path_join(base, 'files', 'test.txt'))
+        r = self.request('GET', 'files/test.txt')
         disposition = r.headers.get('Content-Disposition', '')
         self.assertNotIn('attachment', disposition)
 
-        r = requests.get(url_path_join(base, 'files', 'test.txt') + '?download=1')
+        r = self.request('GET', 'files/test.txt?download=1')
         disposition = r.headers.get('Content-Disposition', '')
         self.assertIn('attachment', disposition)
         self.assertIn('filename="test.txt"', disposition)
@@ -120,7 +117,6 @@ class FilesTest(NotebookTestBase):
     def test_old_files_redirect(self):
         """pre-2.0 'files/' prefixed links are properly redirected"""
         nbdir = self.notebook_dir.name
-        base = self.base_url()
         
         os.mkdir(pjoin(nbdir, 'files'))
         os.makedirs(pjoin(nbdir, 'sub', 'files'))
@@ -134,19 +130,19 @@ class FilesTest(NotebookTestBase):
                 f.write(prefix + '/f2')
             with open(pjoin(nbdir, prefix, 'f3.txt'), 'w') as f:
                 f.write(prefix + '/f3')
-            
-            url = url_path_join(base, 'notebooks', prefix, 'files', 'f1.txt')
-            r = requests.get(url)
+
+            url = url_path_join('notebooks', prefix, 'files', 'f1.txt')
+            r = self.request('GET', url)
             self.assertEqual(r.status_code, 200)
             self.assertEqual(r.text, prefix + '/files/f1')
 
-            url = url_path_join(base, 'notebooks', prefix, 'files', 'f2.txt')
-            r = requests.get(url)
+            url = url_path_join('notebooks', prefix, 'files', 'f2.txt')
+            r = self.request('GET', url)
             self.assertEqual(r.status_code, 200)
             self.assertEqual(r.text, prefix + '/files/f2')
 
-            url = url_path_join(base, 'notebooks', prefix, 'files', 'f3.txt')
-            r = requests.get(url)
+            url = url_path_join('notebooks', prefix, 'files', 'f3.txt')
+            r = self.request('GET', url)
             self.assertEqual(r.status_code, 200)
             self.assertEqual(r.text, prefix + '/f3')
 
diff --git a/notebook/tree/tests/test_tree_handler.py b/notebook/tree/tests/test_tree_handler.py
index e2ea9e380..1c0d81d35 100644
--- a/notebook/tree/tests/test_tree_handler.py
+++ b/notebook/tree/tests/test_tree_handler.py
@@ -25,8 +25,8 @@ class TreeTest(NotebookTestBase):
         self.base_url()
 
     def test_redirect(self):
-        r = requests.get(url_path_join(self.base_url(), 'tree/foo/bar.ipynb'))
+        r = self.request('GET', 'tree/foo/bar.ipynb')
         self.assertEqual(r.url, self.base_url() + 'notebooks/foo/bar.ipynb')
 
-        r = requests.get(url_path_join(self.base_url(), 'tree/foo/baz.txt'))
+        r = self.request('GET', 'tree/foo/baz.txt')
         self.assertEqual(r.url, url_path_join(self.base_url(), 'files/foo/baz.txt'))

From d6f091c4439c174c7700776c0cee03053403f600 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Wed, 14 Dec 2016 17:20:44 +0100
Subject: [PATCH 06/11] allow disabling xsrf check

for deployments that want to grant unfettered access, even from anonymous API requests
---
 notebook/base/handlers.py |  2 +-
 notebook/notebookapp.py   | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
index 1dd376438..4dae0db03 100755
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@@ -327,7 +327,7 @@ class IPythonHandler(AuthenticatedHandler):
 
     def check_xsrf_cookie(self):
         """Bypass xsrf checks when token-authenticated"""
-        if self.token_authenticated:
+        if self.token_authenticated or self.settings.get('disable_check_xsrf', False):
             # Token-authenticated requests do not need additional XSRF-check
             # Servers without authentication are vulnerable to XSRF
             return
diff --git a/notebook/notebookapp.py b/notebook/notebookapp.py
index 484ba7e2e..0c9549a7f 100755
--- a/notebook/notebookapp.py
+++ b/notebook/notebookapp.py
@@ -226,6 +226,7 @@ class NotebookWebApplication(web.Application):
             logout_handler_class=jupyter_app.logout_handler_class,
             password=jupyter_app.password,
             xsrf_cookies=True,
+            disable_check_xsrf=ipython_app.disable_check_xsrf,
 
             # managers
             kernel_manager=kernel_manager,
@@ -630,6 +631,21 @@ class NotebookApp(JupyterApp):
                       since any user can connect to the notebook server via ssh.
 
                       """
+
+    disable_check_xsrf = Bool(False, config=True,
+        help="""Disable cross-site-request-forgery protection
+
+        Jupyter notebook 4.3.1 introduces protection from cross-site request forgeries,
+        requiring API requests to either:
+
+        - originate from the (validated with XSRF cookie and token), or
+        - authenticate with a token
+
+        Some anonymous compute resources still desire the ability to run code,
+        completely without authentication.
+        These services can disable all authentication and security checks,
+        with the full knowledge of what that implies.
+        """
     )
 
     open_browser = Bool(True, config=True,

From dacea0e0d9000c502b5d075619a365c1d8bf5bbc Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Wed, 14 Dec 2016 17:48:05 +0100
Subject: [PATCH 07/11] changelog notes for 4.3.1

---
 docs/source/changelog.rst | 30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/docs/source/changelog.rst b/docs/source/changelog.rst
index 7b7842e55..eb702f481 100644
--- a/docs/source/changelog.rst
+++ b/docs/source/changelog.rst
@@ -11,7 +11,8 @@ For more detailed information, see
 
      Use ``pip install notebook --upgrade`` or ``conda upgrade notebook`` to
      upgrade to the latest release.
-     
+
+
 .. _release-4.3.1:
 
 4.3.1
@@ -19,6 +20,13 @@ For more detailed information, see
 
 4.3.1 is a patch release with a security patch, a couple bug fixes, and improvements to the newly-released token authentication.
 
+**Security fix**:
+
+- CVE-2016-9971. Fix CSRF vulnerability,
+  where malicious forms could create untitled files and start kernels
+  (no remote execution or modification of existing files)
+  for users of certain browsers (Firefox, Internet Explorer / Edge).
+
 Bug fixes:
 
 - Fix carriage return handling
@@ -31,16 +39,25 @@ Other improvements:
 - Further highlight token info in log output when autogenerated
 - Add Authorization to allowed CORS headers
 
-See the 4.3 milestone on GitHub for a complete list of
-`issues <https://github.com/jupyter/notebook/issues?utf8=%E2%9C%93&q=is%3Aissue%20milestone%3A4.3.1%20>`__
-and `pull requests <https://github.com/jupyter/notebook/pulls?utf8=%E2%9C%93&q=is%3Apr%20milestone%3A4.3.1%20>`__ involved in this release.
+See the 4.3.1 milestone on GitHub for a complete list of
+`issues <https://github.com/jupyter/notebook/issues?utf8=%E2%9C%93&q=is%3Aissue%20milestone%3A4.3.1>`__
+and `pull requests <https://github.com/jupyter/notebook/pulls?utf8=%E2%9C%93&q=is%3Apr%20milestone%3A4.3.1>`__ involved in this release.
 
 .. _release-4.3:
 
-4.3
----
+4.3.0
+-----
 
 4.3 is a minor release with many bug fixes and improvements.
+The biggest user-facing change is the addition of token authentication,
+which is enabled by default.
+A token is generated and used when your browser is opened automatically,
+so you shouldn't have to enter anything in the default circumstances.
+If you see a login page
+(e.g. by switching browsers, or launching on a new port with ``--no-browser``),
+you get a login URL with the token from the command ``jupyter notebook list``,
+which you can paste into your browser.
+
 
 Highlights:
 
@@ -88,6 +105,7 @@ See the 4.3 milestone on GitHub for a complete list of
 `issues <https://github.com/jupyter/notebook/issues?utf8=%E2%9C%93&q=is%3Aissue%20milestone%3A4.3%20>`__
 and `pull requests <https://github.com/jupyter/notebook/pulls?utf8=%E2%9C%93&q=is%3Apr%20milestone%3A4.3%20>`__ involved in this release.
 
+
 .. _release-4.2.3:
 
 4.2.3

From 86c6268f6445048b3508e4443187536e837e8913 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Tue, 20 Dec 2016 17:48:14 +0100
Subject: [PATCH 08/11] prose review

---
 docs/source/changelog.rst |  5 +++--
 notebook/auth/login.py    | 27 ++++++++++++++++++---------
 notebook/base/handlers.py |  4 ++--
 notebook/notebookapp.py   |  2 +-
 4 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/docs/source/changelog.rst b/docs/source/changelog.rst
index eb702f481..2b8c21a84 100644
--- a/docs/source/changelog.rst
+++ b/docs/source/changelog.rst
@@ -26,18 +26,19 @@ For more detailed information, see
   where malicious forms could create untitled files and start kernels
   (no remote execution or modification of existing files)
   for users of certain browsers (Firefox, Internet Explorer / Edge).
+  All previous notebook releases are affected.
 
 Bug fixes:
 
 - Fix carriage return handling
-- Make the font size more robust against fickle brow
+- Make the font size more robust against fickle browsers
 - Ignore resize events that bubbled up and didn't come from window
+- Add Authorization to allowed CORS headers
 
 Other improvements:
 
 - Better docs for token-based authentication
 - Further highlight token info in log output when autogenerated
-- Add Authorization to allowed CORS headers
 
 See the 4.3.1 milestone on GitHub for a complete list of
 `issues <https://github.com/jupyter/notebook/issues?utf8=%E2%9C%93&q=is%3Aissue%20milestone%3A4.3.1>`__
diff --git a/notebook/auth/login.py b/notebook/auth/login.py
index 3511058ef..9ddfb7e52 100644
--- a/notebook/auth/login.py
+++ b/notebook/auth/login.py
@@ -117,17 +117,21 @@ class LoginHandler(IPythonHandler):
     @classmethod
     def should_check_origin(cls, handler):
         """Should the Handler check for CORS origin validation?
-        
+
         Origin check should be skipped for token-authenticated requests.
+
+        Returns:
+        - True, if Handler must check for valid CORS origin.
+        - False, if Handler should skip origin check since requests are token-authenticated.
         """
         return not cls.is_token_authenticated(handler)
-    
+
     @classmethod
     def is_token_authenticated(cls, handler):
-        """Check if the handler has been authenticated by a token.
-        
-        This is used to signal certain things, such as:
-        
+        """Returns True if handler has been token authenticated. Otherwise, False.
+
+        Login with a token is used to signal certain things, such as:
+
         - permit access to REST API
         - xsrf protection
         - skip origin-checks for scripts
@@ -152,8 +156,8 @@ class LoginHandler(IPythonHandler):
             user_id = handler.get_secure_cookie(handler.cookie_name)
         else:
             cls.set_login_cookie(handler, user_id)
-            # Record that we've been authenticated with a token.
-            # Used in should_check_origin above.
+            # Record that the current request has been authenticated with a token.
+            # Used in is_token_authenticated above.
             handler._token_authenticated = True
         if user_id is None:
             # prevent extra Invalid cookie sig warnings:
@@ -169,7 +173,12 @@ class LoginHandler(IPythonHandler):
 
     @classmethod
     def get_user_token(cls, handler):
-        """Identify the user based on a token in the URL or Authorization header"""
+        """Identify the user based on a token in the URL or Authorization header
+        
+        Returns:
+        - uuid if authenticated
+        - None if not
+        """
         token = handler.token
         if not token:
             return
diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
index 4dae0db03..be0fd1ac6 100755
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@@ -295,7 +295,7 @@ class IPythonHandler(AuthenticatedHandler):
         host = self.request.headers.get("Host")
         origin = self.request.headers.get("Origin")
 
-        # If no header is provided, allow it.
+        # If no header is provided, let the request through.
         # Origin can be None for:
         # - same-origin (IE, Firefox)
         # - Cross-site POST form (IE, Firefox)
@@ -326,7 +326,7 @@ class IPythonHandler(AuthenticatedHandler):
         return allow
 
     def check_xsrf_cookie(self):
-        """Bypass xsrf checks when token-authenticated"""
+        """Bypass xsrf cookie checks when token-authenticated"""
         if self.token_authenticated or self.settings.get('disable_check_xsrf', False):
             # Token-authenticated requests do not need additional XSRF-check
             # Servers without authentication are vulnerable to XSRF
diff --git a/notebook/notebookapp.py b/notebook/notebookapp.py
index 0c9549a7f..6729af04a 100755
--- a/notebook/notebookapp.py
+++ b/notebook/notebookapp.py
@@ -638,7 +638,7 @@ class NotebookApp(JupyterApp):
         Jupyter notebook 4.3.1 introduces protection from cross-site request forgeries,
         requiring API requests to either:
 
-        - originate from the (validated with XSRF cookie and token), or
+        - originate from pages served by this server (validated with XSRF cookie and token), or
         - authenticate with a token
 
         Some anonymous compute resources still desire the ability to run code,

From 0b50201ae4d4265eb671365864f7cc5d1b91a9fc Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Wed, 21 Dec 2016 21:59:44 +0100
Subject: [PATCH 09/11] note downgrade of CodeMirror in changelog

---
 docs/source/changelog.rst | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/source/changelog.rst b/docs/source/changelog.rst
index 2b8c21a84..641c2ac87 100644
--- a/docs/source/changelog.rst
+++ b/docs/source/changelog.rst
@@ -34,6 +34,7 @@ Bug fixes:
 - Make the font size more robust against fickle browsers
 - Ignore resize events that bubbled up and didn't come from window
 - Add Authorization to allowed CORS headers
+- Downgrade CodeMirror to 5.16 while we figure out issues in Safari
 
 Other improvements:
 

From a69494833bcaa33b81ac7d5615528c9a8136bc84 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Tue, 3 Jan 2017 15:52:59 +0100
Subject: [PATCH 10/11] forward-port fixes

---
 notebook/notebookapp.py          | 3 ++-
 notebook/tests/launchnotebook.py | 7 ++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/notebook/notebookapp.py b/notebook/notebookapp.py
index 6729af04a..f49f3c900 100755
--- a/notebook/notebookapp.py
+++ b/notebook/notebookapp.py
@@ -226,7 +226,7 @@ class NotebookWebApplication(web.Application):
             logout_handler_class=jupyter_app.logout_handler_class,
             password=jupyter_app.password,
             xsrf_cookies=True,
-            disable_check_xsrf=ipython_app.disable_check_xsrf,
+            disable_check_xsrf=jupyter_app.disable_check_xsrf,
 
             # managers
             kernel_manager=kernel_manager,
@@ -631,6 +631,7 @@ class NotebookApp(JupyterApp):
                       since any user can connect to the notebook server via ssh.
 
                       """
+    )
 
     disable_check_xsrf = Bool(False, config=True,
         help="""Disable cross-site-request-forgery protection
diff --git a/notebook/tests/launchnotebook.py b/notebook/tests/launchnotebook.py
index ff943d41c..9ffe34989 100644
--- a/notebook/tests/launchnotebook.py
+++ b/notebook/tests/launchnotebook.py
@@ -3,11 +3,11 @@
 from __future__ import print_function
 
 from binascii import hexlify
-import os
-import time
-import requests
 from contextlib import contextmanager
+import os
+import sys
 from threading import Thread, Event
+import time
 from unittest import TestCase
 
 pjoin = os.path.join
@@ -17,6 +17,7 @@ try:
 except ImportError:
     from mock import patch #py2
 
+import requests
 from tornado.ioloop import IOLoop
 import zmq
 

From 83ca4833eb772f2130e6512e56699a18899fb0f0 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Wed, 4 Jan 2017 10:41:56 +0100
Subject: [PATCH 11/11] update bundler tests with self.request

---
 notebook/bundler/tests/test_bundler_api.py | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/notebook/bundler/tests/test_bundler_api.py b/notebook/bundler/tests/test_bundler_api.py
index 542044b44..d3b509e4f 100644
--- a/notebook/bundler/tests/test_bundler_api.py
+++ b/notebook/bundler/tests/test_bundler_api.py
@@ -4,10 +4,8 @@
 # Distributed under the terms of the Modified BSD License.
 
 import io
-import requests
 from os.path import join as pjoin
 
-from notebook.utils import url_path_join
 from notebook.tests.launchnotebook import NotebookTestBase
 from nbformat import write
 from nbformat.v4 import (
@@ -45,20 +43,20 @@ class BundleAPITest(NotebookTestBase):
 
     def test_missing_bundler_arg(self):
         """Should respond with 400 error about missing bundler arg"""
-        resp = requests.get(url_path_join(self.base_url(), 'bundle', 'fake.ipynb'))
+        resp = self.request('GET', 'bundle/fake.ipynb')
         self.assertEqual(resp.status_code, 400)
         self.assertIn('Missing argument bundler', resp.text)
 
     def test_notebook_not_found(self):
         """Shoudl respond with 404 error about missing notebook"""
-        resp = requests.get(url_path_join(self.base_url(), 'bundle', 'fake.ipynb'),
+        resp = self.request('GET', 'bundle/fake.ipynb',
             params={'bundler': 'fake_bundler'})
         self.assertEqual(resp.status_code, 404)
         self.assertIn('Not Found', resp.text)
 
     def test_bundler_not_enabled(self):
         """Should respond with 400 error about disabled bundler"""
-        resp = requests.get(url_path_join(self.base_url(), 'bundle', 'testnb.ipynb'),
+        resp = self.request('GET', 'bundle/testnb.ipynb',
             params={'bundler': 'fake_bundler'})
         self.assertEqual(resp.status_code, 400)
         self.assertIn('Bundler fake_bundler not enabled', resp.text)
@@ -67,7 +65,7 @@ class BundleAPITest(NotebookTestBase):
         """Should respond with 500 error about failure to load bundler module"""
         with patch('notebook.bundler.handlers.BundlerHandler.get_bundler') as mock:
             mock.return_value = {'module_name': 'fake_module'}
-            resp = requests.get(url_path_join(self.base_url(), 'bundle', 'testnb.ipynb'),
+            resp = self.request('GET', 'bundle/testnb.ipynb',
                 params={'bundler': 'fake_bundler'})
             mock.assert_called_with('fake_bundler')
         self.assertEqual(resp.status_code, 500)
@@ -77,7 +75,7 @@ class BundleAPITest(NotebookTestBase):
         """Should respond with 200 and output from test bundler stub"""
         with patch('notebook.bundler.handlers.BundlerHandler.get_bundler') as mock:
             mock.return_value = {'module_name': 'notebook.bundler.tests.test_bundler_api'}
-            resp = requests.get(url_path_join(self.base_url(), 'bundle', 'testnb.ipynb'),
+            resp = self.request('GET', 'bundle/testnb.ipynb',
                 params={'bundler': 'stub_bundler'})
             mock.assert_called_with('stub_bundler')
         self.assertEqual(resp.status_code, 200)