Skip to content

allow token-authenticated requests cross-origin by default #2920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
takluyver merged 2 commits into from
Oct 20, 2017
Merged

allow token-authenticated requests cross-origin by default #2920

takluyver merged 2 commits into from
Oct 20, 2017

Conversation

@minrk
Copy link
Member

@minrk minrk commented Oct 10, 2017
edited
Loading

we already apply this logic in our server-side checks, but browsers check Access-Control-Allow-Origin headers themselves as well, meaning that token-authenticated requests can’t be made cross-origin without CORS headers from browsers, only scripts.

This makes default browser and server-side origin checks consistent

includes #2919 to avoid merge conflicts

@minrk minrk force-pushed the allow-origin-token branch from 12fcd69 to 014316c Compare October 10, 2017 15:24
@minrk minrk mentioned this pull request Oct 10, 2017
Closed
@minrk
allow token-authenticated requests cross-origin by default
9acf6a8 
we already apply this logic in our server-side checks,
but browsers check `Access-Control-Allow-Origin` headers themselves as well,
meaning that token-authenticated requests can’t be made cross-origin without CORS headers from browsers,
only scripts.

This makes default browser and server-side origin checks consistent
@minrk minrk force-pushed the allow-origin-token branch from 014316c to 9acf6a8 Compare October 11, 2017 08:41
@minrk
Copy link
Member Author

minrk commented Oct 11, 2017

My conflict-avoidance strategy was not successful, apparently. Rebased.

@takluyver
Copy link
Member

takluyver commented Oct 11, 2017

I'm never entirely sure about these CORS issues, but I think I understand the basic idea, and I'm happy to trust the two of you. Do you want anyone else to review it? Do you want it in for 5.2?

@takluyver takluyver added this to the 5.3 milestone Oct 20, 2017
@takluyver takluyver merged commit 55aa80e into jupyter:master Oct 20, 2017
@gnestor
Copy link
Contributor

gnestor commented Oct 26, 2017

We're going to try to release 5.2.1. Should this be included?

@pyup-bot pyup-bot mentioned this pull request Jan 28, 2018
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@blink1073 blink1073 blink1073 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

status:resolved-locked

Projects

None yet

Milestone

5.3

Development

Successfully merging this pull request may close these issues.

4 participants

@minrk @takluyver @gnestor @blink1073