HTML files and relative links

JupyterHub The Littlest JupyterHub
1

I am using TLJH with a lab interface. I have created two html files; index.html and test.html. test.html just outputs “this is a test”.

In index.html I have the following code:

<a href="test.html">test link</a><br>
<a href="https://myurl.com/user/oli/files/test.html">absolute test</a><br>
<a href="/user/oli/files/test.html">extended relative link</a><br>
<a href="/user/oli/lab/tree/test.html">test link</a><br>
<a href="/user/oli/proxy/absolute/path/to/test.html">test link</a><br>

But with all options when I click on the link I get “myurl.com refused to connect.”

It doesn’t seem to make any difference if I trust or don’t trust html. I’ve got students relying on this so any help would be appreciated!

—EDIT—
While waiting for moderator to unblock me (I hope) I’ve tracked this down to (I assume) header frame-ancestors ‘none’; sandbox allow-scripts

What I’m struggling with is how to remove that link. The users of this hub are relatively low skill so I’m not too worried about them doing anything nefarious. One suggestion was to add this to config.yaml:

hub:
  extraConfig:
    disableCSP: |
      c.Spawner.args = ['--NotebookApp.tornado_settings={"headers":{"Content-Security-Policy": ""}}']

But it doesn’t seem to have an impact. Another was to edit traefik.toml and add middleware headers:

[http.middlewares.cspHeader.headers]
customResponseHeaders = {
    Content-Security-Policy = "frame-ancestors self; sandbox allow-scripts"
}

But that toml file doesn’t exist…

so an alternative suggestion is to add the config to the yaml file…

traefik_api:
  extraStaticConfig:
    http:
      routers:
        jupyterhub:
          middlewares:
            - addCSPHeader
      middlewares:
        addCSPHeader:
          headers:
            customResponseHeaders:
              Content-Security-Policy: "frame-ancestors self; sandbox allow-scripts"

again, no impact.

The challenge is I don’t know if these settings are being picked up and ignored, picked up and overridden by something else, or just not seen at all!

—ANOTHER EDIT—
If I open it in a new browser, the relative links work fine (yay) but images linked through do not (though I can right click them and view so the address is obviously ok) - related?