405 Method Not Allowed response to OPTIONS request for CORS preflight

I have JupyterHub running on Amazon EKS. I can access my hub and notebooks with some custom authentication I’ve configured. However, I’d like to embed the notebooks in an iframe and I’m running into trouble. When I try to make a ccross domain request to jupyterhub, the browser sends a request with the OPTIONS method, and jupyterhub responds with an HTTP 405 “Method Not Allowed”.

I dug into the jupyterhub source and I can’t see that LogoutHandler, BaseHandler, or RequestHandler define an options method so I think I’m getting a response from _unimplemented_method.

Based on this reading of the code, the reason for the 405 seems obvious, but a lot of people online seem to have working setups of this sort working (with the appropriate Content-Security-Policy and Access-Control-Allow-Origin headers). So… what gives? How does anyone have this working when cors preflight requires an OPTIONS response, and jupyterhub doesn’t seem to handle OPTIONS requests?

When you say “jupyterhub”, are you refering to the JupyterHub pages where you can start/stop servers, or the singleuser server such as JupyterLab?

Both can be seperately customised using tornado_settings. It’s not possible to customise them both in one place since JupyterHub launches the singleuser server, but hands over proxying to a separate process. This proxy passes everything straight through to the singleuser server.

I think I mean JupyterHub pages. Particularly the /hub/login and /hub/logout endpoints, although I expect this concern will apply to others later.

Try configuring c.JupyterHub.tornado_settings = .... If you search this forum there’s a few examples, but you might need some trial and error.