Skip to content

Commit ca5f38e

Browse files
moblekevin-bates
moble
authored and
kevin-bates
committed
Describe problems and solutions involving CSP headers
1 parent 7788291 commit ca5f38e

File tree

1 file changed

+36
-0
lines changed

1 file changed

+36
-0
lines changed

docs/source/public_server.rst

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -358,6 +358,42 @@ For example, in Firefox, go to the Preferences panel, Advanced section,
358358
Network tab, click 'Settings...', and add the address of the Jupyter server
359359
to the 'No proxy for' field.
360360

361+
Content-Security-Policy (CSP)
362+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
363+
364+
Certain `security guidelines
365+
<https://infosec.mozilla.org/guidelines/web_security.html#content-security-policy>`_
366+
recommend that servers use a Content-Security-Policy (CSP) header to prevent
367+
cross-site scripting vulnerabilities, specifically limiting to ``default-src:
368+
https:`` when possible. This directive causes two problems with Jupyter.
369+
First, it disables execution of inline javascript code, which is used
370+
extensively by Jupyter. Second, it limits communication to the https scheme,
371+
and prevents WebSockets from working because they communicate via the wss
372+
scheme (or ws for insecure communication). Jupyter uses WebSockets for
373+
interacting with kernels, so when you visit a server with such a CSP, your
374+
browser will block attempts to use wss, which will cause you to see
375+
"Connection failed" messages from jupyter notebooks, or simply no response
376+
from jupyter terminals. By looking in your browser's javascript console, you
377+
can see any error messages that will explain what is failing.
378+
379+
To avoid these problem, you need to add ``'unsafe-inline'`` and ``connect-src
380+
https: wss:`` to your CSP header, at least for pages served by jupyter. (That
381+
is, you can leave your CSP unchanged for other parts of your website.) Note
382+
that multiple CSP headers are allowed, but successive CSP headers can only
383+
restrict the policy; they cannot loosen it. For example, if your server sends
384+
both of these headers
385+
386+
Content-Security-Policy "default-src https: 'unsafe-inline'"
387+
Content-Security-Policy "connect-src https: wss:"
388+
389+
the first policy will already eliminate wss connections, so the second has no
390+
effect. Therefore, you can't simply add the second header; you have to
391+
actually modify your CSP header to look more like this:
392+
393+
Content-Security-Policy "default-src https: 'unsafe-inline'; connect-src https: wss:"
394+
395+
396+
361397
Docker CMD
362398
~~~~~~~~~~
363399

0 commit comments

Comments
 (0)