Websocket issue when embedded in iframe

JupyterLab
1

There are several posts asking about the websocket connect issue when attempting to embed in an iframe. But doesn’t seem to be a resolution.

Is it safe to say it’s not possible at the moment?

I’m trying to run JupyterLab via Modal.com and embed a spawned JupyterLab instance in an iframe in my Django site. I’m running into the same issue reported elsewhere in this forum: I can get the JupyterLab server to show the notebook in the iframe (via some CSP settings in both Tornado and in my parent Django site), but the ipykernal can’t connect as the websocket requests are getting a 403.

This is my configuration

c.ServerApp.tornado_settings = {
    "headers": {
        "Content-Security-Policy": "default-src 'self' 'unsafe-inline' 'unsafe-eval'; "
         "connect-src 'self' wss://*; "
         "frame-ancestors 'self' https://(my app name).herokuapp.com http://localhost:8001;",
        "X-Frame-Options": "ALLOW-FROM https://(my app name).herokuapp.com http://localhost:8001"
    }
}

I’m wondering if perhaps it’s just not possible at the moment…but then I know that JupyterHub is being embedded in iframes in Canvas, so somehow this must be possible…

2

What errors do you see in your browser console?

I see a different error when testing across domains e.g. webpage http://localhost:8000/iframe.html, which embeds an iframe for JupyterLab with src=http://A.B.C.D:8888, or vice-versa:

Cookie “username-A-B-C-D-8888” has been rejected because it is foreign and does not have the “Partitioned“ attribute.

This seems to be related to Cookies Having Independent Partitioned State (CHIPS) - Privacy on the web | MDN. The partitioned attribute is not supported by the Python cookies library Support for Partitioned cookies attribute · Issue #112713 · python/cpython · GitHub

3

Hi @manics. I was getting a simple 403 on the websocket connection…there weren’t more details that I could see. I’ll try again today and see if I can get more detailed information.

Your guess that it’s CHIPS related sounds reasonable. However, how it is possible that groups have successfully embedded JupyterHub in iframes via LTI (e.g Canvas)? Shouldn’t the same issue have shown up? Or perhaps those approaches are broken now too if the CHIPS implementation is recent.

4

If you open your browser console/devtools I’d expect you to see some errors, e.g. related to the CSP, CHIPs, etc- you shouldn’t need to guess what the error is. If you don’t see anything that usually suggests there’s a problem in the backend, which should show up in the Jupyter-server/lab logs.

I don’t know how others are embedding JupyterHub, but it’s going to be very dependent on the domain(s) in use. The very heavy-handed approach (not recommended!) is to run a custom proxy in front of everything, and modify the cookies or headers on the fly.