Merge pull request #5898 from minrk/allow_origin_wildcard

handle allow_origin='*' in check_referer
jupyter · Dec 19, 2020 · 24bf3a5 · 24bf3a5
2 parents 5abcbd3 + 067c399
commit 24bf3a5
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
@@ -404,6 +404,10 @@ def check_referer(self):
         Used on GET for api endpoints and /files/
         to block cross-site inclusion (XSSI).
         """
+
+        if self.allow_origin == "*" or self.skip_check_origin():
+            return True
+
         host = self.request.headers.get("Host")
         referer = self.request.headers.get("Referer")