Opened 2 years ago

Closed 2 years ago

Last modified 10 months ago

#22458 closed defect (fixed)

Temporarily disable Jupyter XSRF check in local notebooks to fix live documentation in Thebe

Reported by: jdemeyer Owned by:
Priority: blocker Milestone: sage-7.6
Component: notebook Keywords: days85
Cc: nthiery Merged in:
Authors: Jeroen Demeyer Reviewers: Julian Rüth
Report Upstream: Reported upstream. No feedback yet. Work issues:
Branch: b9ab9e5 (Commits) Commit:
Dependencies: #22432 Stopgaps:

Description (last modified by nthiery)

When running a local Jupyter notebook, the live documentation does not work at all. The notebook log reports

[...]
[W 12:55:00.384 NotebookApp] 403 POST /api/kernels (::1): '_xsrf' argument missing from POST
[W 12:55:00.385 NotebookApp] 403 POST /api/kernels (::1) 2.54ms referer=http://localhost:8888/kernelspecs/sagemath/doc/prep/Quickstarts/Interact.html

One workaround, suggested by Min R. K. is to disable the XSRF security check in Jupyter.

This is meant as a temporary measure until Thebe will have been refactored on top of JupyterLab? (tentatively a couple months???).

Upstream report: https://github.com/oreillymedia/thebe/issues/93

Change History (16)

comment:1 Changed 2 years ago by jdemeyer

  • Description modified (diff)

comment:2 Changed 2 years ago by jdemeyer

  • Cc nthiery added
  • Description modified (diff)

comment:3 Changed 2 years ago by jdemeyer

  • Dependencies set to #22432

comment:4 Changed 2 years ago by jdemeyer

  • Authors Jeroen Demeyer deleted
  • Report Upstream changed from N/A to Not yet reported upstream; Will do shortly.
  • Summary changed from Fix Jupyter live documentation to Fix live documentation in Thebe

comment:5 Changed 2 years ago by jdemeyer

  • Description modified (diff)
  • Report Upstream changed from Not yet reported upstream; Will do shortly. to Reported upstream. No feedback yet.

comment:6 Changed 2 years ago by jdemeyer

It worries me a lot that Thebe upstream did not show any activity since May 2016 (for example, a trivial pull request from June 2016 was not merged). Is the project dead?

Last edited 2 years ago by jdemeyer (previous) (diff)

comment:7 Changed 2 years ago by nthiery

I am not much surprised: it's likely that, once JupyterLab? is out, Thebe will become just a thin library on top of it. So I can see the lack of motivation for doing just light maintenance on it. But of course if it's completely broken and nothing happens, that's not good.

comment:8 Changed 2 years ago by jdemeyer

  • Description modified (diff)
  • Priority changed from major to blocker
  • Summary changed from Fix live documentation in Thebe to Disable Jupyter XSRF check to fix live documentation in Thebe

comment:9 Changed 2 years ago by jdemeyer

  • Keywords days85 added

comment:10 Changed 2 years ago by nthiery

  • Description modified (diff)
  • Summary changed from Disable Jupyter XSRF check to fix live documentation in Thebe to Temporarily disable Jupyter XSRF check in local notebooks to fix live documentation in Thebe

comment:11 Changed 2 years ago by jdemeyer

  • Branch set to u/jdemeyer/disable_jupyter_xsrf_check_to_fix_live_documentation_in_thebe

comment:12 Changed 2 years ago by jdemeyer

  • Commit set to b9ab9e52484fe1f10c206733270b306d8d1e2ada
  • Status changed from new to needs_review

New commits:

ee60184Upgrade Jupyter notebook
b9ab9e5Disable XSRF checking to fix Thebe

comment:13 Changed 2 years ago by jdemeyer

  • Authors set to Jeroen Demeyer

comment:14 Changed 2 years ago by saraedum

  • Reviewers set to Julian Rüth
  • Status changed from needs_review to positive_review

comment:15 Changed 2 years ago by vbraun

  • Branch changed from u/jdemeyer/disable_jupyter_xsrf_check_to_fix_live_documentation_in_thebe to b9ab9e52484fe1f10c206733270b306d8d1e2ada
  • Resolution set to fixed
  • Status changed from positive_review to closed

comment:16 Changed 10 months ago by vbraun

  • Commit b9ab9e52484fe1f10c206733270b306d8d1e2ada deleted

Just saw this, you disabled XSRF protection on a potentially internet facing service that allows for arbitrary code execution. This needs to be fixed asap...

Note: See TracTickets for help on using tickets.