* tornado 5: PeriodicCallback loop arg will be removed
PCs are always run with the current eventloop,
which is what the explicitly passed loop always is for us already
* Don't double-close socket & stream
closing stream closes the socket
* remove now-inaccurate comment
* Load translations for Javascript in page template
* Normalise language codes to gettext format with underscores
* .mo files need to be under LC_MESSAGES as well
* remove unused JS code
* Normalise result in test
* Fix for opening files on Py 2
* Fix location of I18N directory
* Add translation files to package_data
avoids clobbering cookies when multiple notebook servers are run on one host.
Users can override `cookie_options.path = ‘/‘` if they *want* cookies to be shared across notebooks on one host.
During the deprecation/removal of the `@json_errors` decorator, the
`reason` field was not carried forward into the compatible replacement
method `APIHandler.write_error`. This broke some client (tests) that
relied on that field's presence.
Fixes#2957.
we already apply this logic in our server-side checks,
but browsers check `Access-Control-Allow-Origin` headers themselves as well,
meaning that token-authenticated requests can’t be made cross-origin without CORS headers from browsers,
only scripts.
This makes default browser and server-side origin checks consistent
get_current_user is called in a few places that really shouldn’t raise
move the raising to `get_login_url`, which is called in `@web.authenticated`,
where we want to replace redirect logic with 403.
When starting a kernel using the Jupyter Notebook Kernel API, web
browsers will automatically check for the presence of `x-xsrftoken` in
the Access-Control-Allow-Headers during the preflight CORS check
([ref][ref]).
[ref]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
Since we didn't allow this header before, web browsers would fail the
preflight check even when the x-xsrftoken header isn't being used by the
notebook server.
This meant that running a webpage on localhost:8080 that used Javascript
to start a kernel on a notebook server running on localhost:8888 would
fail.
How I tested this commit:
1. Start a notebook server using
jupyter notebook --no-browser --NotebookApp.allow_origin="*" --NotebookApp.disable_check_xsrf=True --NotebookApp.token=''
2. Build the [web3](https://github.com/jupyter-widgets/ipywidgets/tree/master/examples/web3) example from ipywidgets.
3. In that directory, run `npm run host`.
4. Verify that visiting http://localhost:8080/ starts a kernel in the notebook server.
Use a copy to avoid writing content security policy into settings['headers'],
which can be a problem because APIHandlers have a stricter CSP than page handlers.
If an API request is made before the first page request, pages will fail to load due to CSP violations.
This commit fixes issue #1387 by adding a file `robots.txt`
that makes robots go away.
This commit is also similar to
316665e5d7
as it also adds the `favicon.ico`.
add /api/status endpoint for retrieving current status
includes
- started: start time of the server
- last_activity: latest activity across all endpoints
- connections: number of current connections
- kernels: number of current kernels
- Cookie-authenticated API requests must use set X-XSRFToken header
- add utils.ajax for making ajax requests, adding xsrf header from default location
Thomas Kluyver
Matthias Bussonnier
Min RK
Kevin Bates
Sam Lau
Grant Nestor
Anastasis Germanidis
Thomas Kluyver
Krista
Jason Grout