CSP jupyterlab4

Hi,

I’m facing issue with the new jupyterlab4 CSP security policy.

Context:
I have a docker jupyterlab image, that was using jupyterlab 3.X.
User login using jupyterHub.
Settings are done using basic.py settings for the hub (dockerSpawner/SystemSpawner)

I display the jupyterlab web interface in an iframe, setting the correct CSP value in basic.py settings
→ NotebookApp.tornado_settings
→ JupyterHub.tornado_settings

This was working without any trouble for years.

I updated my jupyterlab3 to jupyterlab 4, and now, I have CSP issue on IFRAME.

Do you have any idea what changed, or if i need diferent settings now ?

Jupyter_hub_config.py

 180   │ c.JupyterHub.tornado_settings = {
 181   │     "headers": {"Content-Security-Policy": f"frame-ancestors 'self' *"}
 182   │ }
 183   │ c.NotebookApp.tornado_settings = {
 184   │     "headers": {"Content-Security-Policy": f"frame-ancestors 'self' *"}
 185   │ }

Jupyterlab start command

$jupyter_version \
  26   │             --ServerApp.root_dir=/home/$USER_NAME \
  27   │             --ServerApp.allow_password_change=False \
  28   │             --no-browser \
  29   │             --ip ${JUPYTER_IP:-0.0.0.0} \
  30   │             --port 8888 \
  31   │             --ServerApp.allow_origin=* \
  32   │             "${args[@]}"

image954×38 6.14 KB

image931×130 18.8 KB

Just a guess: c.ServerApp? The underlying change is the use of jupyter-server v2 in JupyterLab 4.0+ instead of the old notebook server.

Well I dont know, but i figured out, that changing my default config file from jupyter_notebook_config.py to jupyter_server_config.py fixed my issue (file containing => )

c.NotebookApp.tornado_settings = {
    'headers': {
        'Content-Security-Policy': "frame-ancestors 'self' * "
    }
}

do you have any example that how you have used jupyter in iframe

I am using winpython. I implemented the same that you have, but still it is not working.