Content-Security-Policy (IFrame embeding) not working in new version

Bug description

Content-Security-Policy settings are not respected in new version of Jupyter Hub.
Following screen capture is demonstrating how same settings worked in JupyterHub v1.4.0 and in v1.5.1 it doesn’t work any more:

In order to debug the problem I tried to dive into logs according to:

…no sign of any error in any file

Same settings on both JupyterHub instances

JupyterHub settings in file /opt/tljh/config/jupyterhub_config.d/

c.JupyterHub.tornado_settings = {'headers': {'Content-Security-Policy': "frame-ancestors *;"}}
c.Spawner.args = ['--config=/home/']

Jupyter notebook settings in file: /home/

c.NotebookApp.tornado_settings={'headers': {'Content-Security-Policy': "frame-ancestors *;"}}

Other relevant context info

  • nginx settings for both JupyterHub instances are exactly the same
  • os is exactly the same in both cases: ubuntu 20.04
  • python versions
    • in case of working (old) JupyterHub v1.4.0, default Python version is 3.7
    • in case of problematic (new) JupyterHub v1.5.1, default Python version is 3.9

Which browser are you using? If there are no errors on the hub side, something must be blocking on the browser. Did you check browser console log?

it’s browser agnostic problem, I tried it with few of them (FireFox, Safari, Brave).

Is there a way to perhaps find/replace value Content-Security-Policy header value across all files to hard-code the override?

Well, that seems like Chrome is blocking cross origin request. I could make it work on Firefox 114 on my kubuntu workstation. As JupyterHub 1.5.1 is bit too old, I had to downgrade SQLAlchemy<2. I used exactly your config and env (py 3.9 and hub 1.5.1) and it worked!

@mahendrapaipuri you’re right, it works on Firefox, my mistake! Thank you so much for taking the time replicating my env.

It looks like the origin of the problem is chromium browsers core. I wonder if there’s something I can do to make it work for chromium based browsers (Chrome, Brave, Vivaldi, etc.). Any “dive-in” direction would be highly appreciated.
I’m using TLJH installation.

BTW, I simplified the setup with only one file now:

c.JupyterHub.tornado_settings = {'headers': {'Content-Security-Policy': "frame-ancestors *;"}}
c.Spawner.args = ['--NotebookApp.tornado_settings={"headers":{"Content-Security-Policy": "frame-ancestors *;"}}']
1 Like

For any Mac users, I found that brew uninstall jupyterlab and installing it directly within an environment with pip3 install jupyterlab worked.