Skip to content

Commit

Permalink
Merge pull request #592 from minrk/xsrf
Browse files Browse the repository at this point in the history
Don't protect static assets from XSRF
  • Loading branch information
oliver-sanders authored May 8, 2024
2 parents 0eefd4d + 9d64669 commit 399ea47
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 0 deletions.
1 change: 1 addition & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ below.
- Mel Hall
- Christopher Bennett
- Mark Dawson
- Min RK
<!-- end-shortlog -->

(All contributors are identifiable with email addresses in the git version
Expand Down
1 change: 1 addition & 0 deletions changes.d/592.fix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Compatibility with JupyterHub 4.1 XSRF changes for static requests
13 changes: 13 additions & 0 deletions cylc/uiserver/handlers.py
Original file line number Diff line number Diff line change
Expand Up @@ -184,10 +184,23 @@ class CylcStaticHandler(CylcAppHandler, web.StaticFileHandler):
def initialize(self, *args, **kwargs):
return web.StaticFileHandler.initialize(self, *args, **kwargs)

def check_xsrf_cookie(self):
# don't need XSRF protections on static assets
return

@web.authenticated
def get(self, path):
# authenticate the static handler
# this provides us with login redirection and token caching
if not path:
# Request for /index.html
# Accessing xsrf_token ensures xsrf cookie is set
# to be available for next request to /userprofile
self.xsrf_token
# Ensure request goes through this method even when cached so
# that the xsrf cookie is set on new browser sessions
# (doesn't prevent browser storing the response):
self.set_header('Cache-Control', 'no-cache')
return web.StaticFileHandler.get(self, path)


Expand Down

0 comments on commit 399ea47

Please sign in to comment.