RFC: jupyterhub removing referer checks

JupyterHub has had some header-based checks to limit intra-jupyterhub cross-site requests (e.g. singleuser server → hub api) without token authentication.

These have always proven problematic for deployments behind proxies, because the Host and protocol can get really confused with multiple layers of proxying, and multiple ways to set proxy headers.

We are going to switch to using a standard xsrf token approach for this: [WIP] Use XSRF tokens for cross-site checks by minrk · Pull Request #4032 · jupyterhub/jupyterhub · GitHub

which should bypass all the proxy issues, and have the same characteristics of somewhat (but not entirely, unless you deploy jupyterhub with subdomains) limiting access to cross-site requests among proxied jupyterhub endpoints.

Only cookie-authenticated requests will be affected (token-authenticated requests do not check the xsrf token, just as they never checked the headers), so this is not expected to have any visible effect on deployments other than removing the need for some workarounds for multi-layer proxies.

But if you have e.g. a custom JupyterHub page template that made API requests and did not use the jhapi helpers, it will need to be updated. I’m not aware of any such examples, so this may be nobody.

Feedback is welcome: [WIP] Use XSRF tokens for cross-site checks by minrk · Pull Request #4032 · jupyterhub/jupyterhub · GitHub

2 Likes