Comments (4)
yuvipanda
commented on June 5, 2024
1
Gotta be careful when X-Forwarded-Host unconditionally. See rails/rails#29893 for an example of unforeseen security issues. A bunch of other web frameworks have features that list you explicitly set which IPs to trust X-Forwarded-Host headers from - https://expressjs.com/en/guide/behind-proxies.html.
This might not be a problem here for CORS, but something to carefully consider regardless
from jupyter_server.
afshin
commented on June 5, 2024
What you suggest sounds like the correct behavior. It's not part of the standard, but it's a "de facto standard"
from jupyter_server.
rolweber
commented on June 5, 2024
Would it make sense to check if these are set, and if so, to prefer them to the Host header when comparing to Origin?
Definitely not. Any attacker can set headers as they wish, so it's a bad idea to disable security checks based on the fact that some header is present. Explicitly telling Jupyter through the configuration that it is running behind a load balancer, as suggested by @yuvipanda, sounds like the way to go.
from jupyter_server.
rolweber
commented on June 5, 2024
Maybe add logic around this line to use the value from a configured header (Forwarded or X-Forwarded-Host or whatever) in favor of the value from the Host header. The latter should still be used as a fallback in the absence of the configured header, in case somebody is hitting the same server directly instead of through the load balancer.
On second thought, it might still be possible to abuse this by hitting the server directly. Tricky thing.
from jupyter_server.
Related Issues (20)
- Latest release 2.9.0 broken on install HOT 4
- Custom ContentsManager with a NoOpCheckpoints cannot open notebook, raises Unhandled error HOT 1
- Navigating in the JupyterLab UI can prevent idle kernels from being culled. HOT 10
- Remove usages of tornado io_loop in favor of native asyncio HOT 4
- Latest release is breaking custom ContentManager HOT 4
- lots of ways to trigger unhandled errors via filesystem permissions
- Stop using deprecated function in tornado HOT 1
- Serve kernel WASM assets
- Enable EPUB and HTML outputs from the docs HOT 1
- Tests failing in the latest version HOT 2
- Removing `nbconvert` as a required dependency HOT 4
- Missing Python target version bound leads to incorrect `ruff` suggestions HOT 3
- Kernel's execution state is not updated after the kernel is crashed while executing code HOT 4
- Should `current_user` and `prepare` guards be set in `AuthenticatedHandler` rather than `JupyterHandler`? HOT 2
- The Shut Down and Log Out menu items disappeared between 2.12.5 and 2.13.0 HOT 2
- Invalid page_config.json can crash server HOT 1
- interface for switching between jupyter apps
- Add constraints fore saving/reading files
- Add an HTML endpoint for `/api` with interactive docs HOT 3
- Slower atexit methods do not run to completion HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jupyter_server.