Setting CORS when creating a user server on Kubernetes via REST API

JupyterHub
1

Hi,

I am having trouble setting up CORS options on a single user server that are being spun up. The error I am seeing:

Access to fetch at '<URL>' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Do you have any tips on how I can set the correct CORS options on the single user servers that are spun up?

I do not have this problem locally as I use the following config:
jupyter_config.py:

ORIGIN = 'http://localhost:3000'
c.ServerApp.allow_origin = ORIGIN # Best to restrict the ORIGIN
c.ServerApp.allow_origin_pat = '.*'
c.ServerApp.allow_credentials = True
c.ServerApp.tornado_settings = {
  'headers': {
   'Access-Control-Allow-Origin': ORIGIN,  # Best to restrict the ORIGIN
    'Access-Control-Allow-Methods': '*',
    'Access-Control-Allow-Headers': 'Accept, Accept-Encoding, Accept-Language, Authorization, Cache-Control, Connection, Content-Type, Host, Origin, Pragma, Referer, sec-ch-ua, sec-ch-ua-mobile, sec-ch-ua-platform, Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Upgrade, User-Agent, X-XSRFToken, X-Datalayer, Expires',
    'Access-Control-Allow-Credentials': 'true',
    'Content-Security-Policy': f"frame-ancestors 'self' {ORIGIN} ",
  },
  'cookie_options': {
    'SameSite': 'None',
    'Secure': True
  }
}
c.IdentityProvider.cookie_options = {
  "SameSite": "None",
  "Secure": True,
}

When I instantiate the single user server on my Kubernetes cluster, I do so via the JupyterHub REST API:
POST request to:

/hub/api/users/{userId}/server

I have tried passing the following body:

{
    "cmd": "jupyterhub-singleuser",
    "args": ["--ip=0.0.0.0", "--NotebookApp.allow_origin=\"http://localhost:3000\"", "--NotebookApp.allow_credentials=True"]
}

And this one as well:

{
    "cmd": "jupyterhub-singleuser",
    "args": ["--ip=0.0.0.0", "--ServerApp.allow_origin=\"http://localhost:3000\"", "--ServerApp.allow_credentials=True"]
}

Both have not seemed to work. I have also tried changing my helm deployment and ran helm with my values.yml as the following:

    ServerApp:
      allow_origin: 'http://localhost:3000'
      allow_pat: '.*'
      allow_credential: true
      disable_check_xsrf: true
      tornado_settings:
        headers:
          Access-Control-Allow-Origin: 'http://localhost:3000'
          Access-Control-Allow-Methods: '*'
          Access-Control-Allow-Headers: 'Accept, Accept-Encoding, Accept-Language, Authorization, Cache-Control, Connection, Content-Type, Host, Origin, Pragma, Referer, sec-ch-ua, sec-ch-ua-mobile, sec-ch-ua-platform, Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Upgrade, User-Agent, X-XSRFToken, X-Datalayer, Expires'
          Access-Control-Allow-Credentials: 'true'
          Content-Security-Policy: "frame-ancestors 'self' http://localhost:3000"
        cookie_options:
          SameSite: 'None'
          Secure: true
    IdentityProvider:
      cookie_options:
        SameSite: 'None'
        Secure: true

I am have also tried a variety of other configurations but for brevity I will leave those out as well.

Does anyone have any tips on how I can set the correct CORS options on single user servers that are spun up via the API?

2

The body has no effect, unless you’re using a spawner that accepts additional parameters being passes in the API call.

[quote=“alishobeiri, post:1, topic:22570”]

Where are you setting this? If this is Z2JH it looks like you’re missing part of your values.yaml file. If it’s under hub.config this only affects JupyterHub, it won’t affect the singleuser servers.

I think your options are

3

Oh wow, thanks a lot, I thought everything went under hub! That is an oversight on my part, really appreciate all the help, will try singleuser.cmd or the image as you mentioned and see how it turns out!

1 Like