Add xsrf exception to Tensorboard POST requests.

Expand xsrf_cookie exceptions, normally only applied to GET and HEAD requests in the IPythonHandler, to POST requests in TensorboardHandler. Provides support for hparams plugin, which uses POST to retrieve experiment information but can't be trivially extended to include xsrf information in these POST requests. Mirrors existing IPythonHandler behavior, falling back to Referer header rather than form parameters.
cliffwoolley · Aug 20, 2019 · 5e4f0fc · 5e4f0fc
1 parent ecb70d9
commit 5e4f0fc
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/jupyter_tensorboard/handlers.py b/jupyter_tensorboard/handlers.py
@@ -91,6 +91,34 @@ def post(self, name, path):
         else:
             raise web.HTTPError(404)
 
+    def check_xsrf_cookie(self):
+        """Expand xsrf check exception for POST requests.
+
+        Expand xsrf_cookie exceptions, normally only applied to GET and HEAD
+        requests, to POST requests for tensorboard api.
+
+        Provides support for hparams plugin, which uses POST to retrieve
+        experiment information but can't be trivially extended to include xsrf
+        information in these POST requests.
+
+        """
+
+        try:
+            return super(TensorboardHandler, self).check_xsrf_cookie()
+        except web.HTTPError:
+            if self.request.method in {"GET", "POST", "HEAD"}:
+                # Consider Referer a sufficient cross-origin check for GET requests
+                # Extended to post for Tensorboard API
+                if not self.check_referer():
+                    referer = self.request.headers.get("Referer")
+                    if referer:
+                        msg = "Blocking Cross Origin request from {}.".format(referer)
+                    else:
+                        msg = "Blocking request from unknown origin"
+                    raise web.HTTPError(403, msg)
+            else:
+                raise
+
 
 class TensorboardErrorHandler(IPythonHandler):
     pass