enable tornado xsrf cookie

minrk · minrk · commit 8abc6dff7718 · 2016-12-21T21:14:10.000+01:00
diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
@@ -285,8 +285,12 @@ def check_origin(self, origin_to_satisfy_tornado=""):
         host = self.request.headers.get("Host")
         origin = self.request.headers.get("Origin")
 
-        # If no header is provided, assume it comes from a script/curl.
-        # We are only concerned with cross-site browser stuff here.
+        # If no header is provided, allow it.
+        # Origin can be None for:
+        # - same-origin (IE, Firefox)
+        # - Cross-site POST form (IE, Firefox)
+        # - Scripts
+        # The cross-site POST (XSRF) case is handled by tornado's xsrf_token
         if origin is None or host is None:
             return True
 
@@ -338,6 +342,7 @@ def template_namespace(self):
             contents_js_source=self.contents_js_source,
             version_hash=self.version_hash,
             ignore_minified_js=self.ignore_minified_js,
+            xsrf_form_html=self.xsrf_form_html,
             **self.jinja_template_vars
         )
     
@@ -401,6 +406,15 @@ def prepare(self):
             raise web.HTTPError(404)
         return super(APIHandler, self).prepare()
 
+    def check_xsrf_cookie(self):
+        """Check non-empty body on POST for XSRF
+
+        instead of checking the cookie for forms.
+        """
+        if self.request.method.upper() == 'POST' and not self.request.body:
+            # Require non-empty POST body for XSRF
+            raise web.HTTPError(400, "POST requests must have a JSON body. If no content is needed, use '{}'.")
+
     @property
     def content_security_policy(self):
         csp = '; '.join([
diff --git a/notebook/notebookapp.py b/notebook/notebookapp.py
@@ -192,6 +192,7 @@ def init_settings(self, ipython_app, kernel_manager, contents_manager,
             login_handler_class=ipython_app.login_handler_class,
             logout_handler_class=ipython_app.logout_handler_class,
             password=ipython_app.password,
+            xsrf_cookies=True,
 
             # managers
             kernel_manager=kernel_manager,
diff --git a/notebook/templates/login.html b/notebook/templates/login.html
@@ -22,6 +22,7 @@
           <div class="center-nav">
             <p class="navbar-text nav">Password{% if token_available %} or token{% endif %}:</p>
             <form action="{{base_url}}login?next={{next}}" method="post" class="navbar-form pull-left">
+              {{ xsrf_form_html() | safe }}
               <input type="password" name="password" id="password_input" class="form-control">
               <button type="submit" id="login_submit">Log in</button>
             </form>
