Is there actually a way of setting the content-security-policy headers served by a hub installation?

I have a use case (Latex + plotly + Jupyter) where I need to allow pages to embed an iframe in the cell output. This works fine with a local Jupyter installation, but when served from a user’s spawned server on a Jupyterhub the content-security-policy header is set to none. I have tried many versions of the suggestions in the various discussions here on changing this policy ( Websocket issue when embedded in iframe , Embed Jupyterlab into an iframe , How to securely use Jupyter-lab (as a Docker instance) in iframe? ). I have also looked at Config file and command line options — Jupyter Server documentation and do not seem to find anything related to setting the headers. Can someone more familiar with the code suggest what needs to be done?

I have tried various versions of:

c.JupyterHub.tornado_settings = {'headers': {'Content-Security-Policy': "frame-ancestors 'self'"}}
c.NotebookApp.tornado_settings={"headers":{"Content-Security-Policy": "frame-ancestors 'self'"}}
c.ServerApp.tornado_settings={"headers":{"Content-Security-Policy": "frame-ancestors 'self'"}}

I have not found a combination that causes the settings I want to be served with the pages. I am using a littlest jupyter hub installation.

I also tried suggestions for sending the tornado_settings through the Spawner (those caused the Spawner to crash).

Where are you setting c.ServerApp.tornado_settings ? It needs to be in your singleuser configuration, not the hub configuration.

Can you share your full configuration and tell us how you setup your JupyterHub?

I have a default the littlest jupyterhub installation. It makes sense that the settings need to be put in the singleuser configuration, but I cannot find where is appropriate. I have been putting the commands in a .py file in the suggested tljh/config/jupyterhub_config.d directory. There are only two subdirectories for placing these in: jupyterhub_config.d and traefik_config.d. I assume that I need to find a different place to impact the singleuser configuration. I am not finding it. I did find a config directory full of .json files in the tljh/user tree. Is that what I am looking for?

I have put my .py file containing the directives above in the following two directories:

/opt/tljh/user/etc/jupyter/jupyter_server_config.d
/opt/tljh/user/etc/jupyter/jupyter_notebook_config.d

No joy. Any other hints? Thanks.

I’ve tested /opt/tljh/user/etc/jupyter/jupyter_server_config.py:

$ cat /opt/tljh/user/etc/jupyter/jupyter_server_config.py

c.ServerApp.tornado_settings={"headers":{"Content-Security-Policy": "frame-ancestors 'self'"}}

And my browser sees the response header Content-Security-Policy: frame-ancestors ‘self’ as expected

@manics Thanks for making the effort to test this. I will keep investigating. My suspicion is a typo I am not seeing or I missed cleaning up something from other attempts that are conflicting. At least I know it should be possible now. I will report back if and when I resolve the issue.