wip

voila-dashboards · May 13, 2024 · ddf0098 · ddf0098
1 parent 7596c4f
commit ddf0098
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 3 deletions.
diff --git a/voila/server_extension.py b/voila/server_extension.py
@@ -14,7 +14,9 @@
 from jupyter_server.base.handlers import FileFindHandler, path_regex
 from jupyter_server.utils import url_path_join
 from jupyterlab_server.themes_handler import ThemesHandler
-
+from jupyter_core.paths import jupyter_config_path
+from jupyter_server.serverapp import ServerApp
+from jupyter_core.application import JupyterApp
 from .tornado.contentshandler import VoilaContentsHandler
 
 from .configuration import VoilaConfiguration
@@ -38,9 +40,11 @@ def _jupyter_server_extension_points():
     return [{"module": "voila.server_extension"}]
 
 
-def _load_jupyter_server_extension(server_app):
+def _load_jupyter_server_extension(server_app: ServerApp):
     web_app = server_app.web_app
     # common configuration options between the server extension and the application
+    config_file_paths = [os.getcwd(), *jupyter_config_path()]
+    super(JupyterApp, server_app).load_config_file("voila", path=config_file_paths)
     voila_configuration = VoilaConfiguration(parent=server_app)
     template_name = voila_configuration.template
     template_paths = collect_template_paths(["voila", "nbconvert"], template_name)

diff --git a/voila/static_file_handler.py b/voila/static_file_handler.py
@@ -11,7 +11,7 @@
 import re
 
 import tornado.web
-
+from typing import cast
 from .paths import collect_static_paths
 
 
@@ -111,3 +111,40 @@ def get_absolute_path(self, root, path):
         if denylisted:
             raise tornado.web.HTTPError(403, "File denylisted")
         return super().get_absolute_path(root, path)
+
+    @property
+    def content_security_policy(self) -> str:
+        """The default Content-Security-Policy header
+
+        Can be overridden by defining Content-Security-Policy in settings['headers']
+        """
+        if "Content-Security-Policy" in self.settings.get("headers", {}):
+            # user-specified, don't override
+            return cast(str, self.settings["headers"]["Content-Security-Policy"])
+
+        return "; ".join(
+            [
+                "frame-ancestors 'self'",
+                "sandbox allow-scripts",
+            ]
+        )
+
+    def set_default_headers(self) -> None:
+        """Set the default headers."""
+        headers = {}
+        headers["X-Content-Type-Options"] = "nosniff"
+        headers.update(self.settings.get("headers", {}))
+
+        headers["Content-Security-Policy"] = self.content_security_policy
+
+        # Allow for overriding headers
+        for header_name, value in headers.items():
+            try:
+                self.set_header(header_name, value)
+            except Exception as e:
+                # tornado raise Exception (not a subclass)
+                # if method is unsupported (websocket and Access-Control-Allow-Origin
+                # for example, so just ignore)
+                self.log.exception(  # type:ignore[attr-defined]
+                    "Could not set default headers: %s", e
+                )