Jupyter server API requests rejected due to multiple values for Access-Control-Allow-Origin header

To give context I have jupyterhub instance sitting behind my companies api gateway, and I am using the API of the hub and server exclusively. I am running into an issue when making a request to the jupyter server api where the response has two Access-Control-Allow-Origin header values. I believe the issue is due to my gateway and the jupyterhub gateway both injecting Access-Control-Allow-Origin headers into the response. I was wondering if there was a way to disable the hub injecting the additional headers to the response.

Here is the API workflow.

1. Start a server via a custom service communicating with the hub.
2. Request a API token from a custom service communicating with the hub.
3. Use token to make requests against the server instance (via the hub proxy i.e. /user/{user_id}/.
   • All server requests get an additional Access-Control-Allow-Origin header added on.

I have already tried the solution discussed here. Which only supported my suspicions because the additional header value change to the one I added (i.e. *).

I’m not sure how your gateway works, but is it possible for the gateway to set headers instead of adding headers?

You can set the value in the server to the same value * (c.ServerApp.allow_origin = '*'). It is important to set the value, because Jupyter Server checks the origin on requests, it doesn’t just set the CORS header. So if you only override the CORS header, the browser will attempt the request, but it will be rejected if it doesn’t match the server’s CORS settings.

Of course, by allowing any origin, you are also explicitly allowing cross-site request forgeries.