403 Forbidden when opening files in Jupyter

[zsaziz]

Trying to open an image (.PNG) in Jupyter after uploading it but the following error pops up:

403 : Forbidden
The error was:
Blocking Cross Origin request from <Notebook_URL/view/image.png>

The same error can be seen with other file formats such as .html, .pdf etc. XSRF check should be enabled for this to occur.

Jupyter details

sh-4.2$ jupyter --version
jupyter core     : 4.6.1
jupyter-notebook : 5.7.8
qtconsole        : 4.5.5
ipython          : 7.9.0
ipykernel        : 5.1.3
jupyter client   : 5.3.4
jupyter lab      : 1.2.3
nbconvert        : 5.6.1
ipywidgets       : 7.5.1
nbformat         : 4.4.0
traitlets        : 4.3.3

This issue is also seen when downloading a Notebook as .ipynb which is discussed in this issue: #4541

Some more info, this is the error log from Jupyter

[W 21:48:46.130 NotebookApp] Blocking Cross Origin request for /files/sagemaker_logo.png.  Referer: <Notebook_Url>, Host: 10.0.44.72:8443

Jupyter Notebook was launched with --port 8443 and hosted on the above IP. According to the error message above, it fails this check when XSRF is enabled:

notebook/notebook/base/handlers.py

Lines 415 to 428 in 9560e0c

	host = self.request.headers.get("Host")
	referer = self.request.headers.get("Referer")
	if not host:
	self.log.warning("Blocking request with no host")
	return False
	if not referer:
	self.log.warning("Blocking request with no referer")
	return False
	referer_url = urlparse(referer)
	referer_host = referer_url.netloc
	if referer_host == host:
	return True

This check will always fail as the host and referer will never be the same. Furthermore, you cannot set c.NotebookApp.allow_origin='*' as an argument as it checks for an explicit value rather than also checking for wildcard:

notebook/notebook/base/handlers.py

Lines 432 to 433 in 9560e0c

	if self.allow_origin:
	allow = self.allow_origin == origin

One workaround I found was to set c.NotebookApp.allow_origin='<Notebook_Url>' but that doesn't address the root cause of this issue.

[keraldi]

The workaround does not work if the notebook is accessed remotely.
In my setup, my notebook server opens a reverse SSH tunnel to a remote server. If the notebook is accessed through the port, error 403 will be issued if people try to access a .pdf but not for .ipynb files.

Even if XSRF is disabled, it does not work.
I've tried setting c.NotebookApp.allow_origin='' to '*', 'localhost' and '<remote URL'.
Accessing it locally through X11 forwarding in a browser works, but not through the tunnel.

[chansonzhang]

When I view a file (non ipynb) or download any file, the page show that the cross origin request was blocked. However, any other operations behave normal. I solved this problem by setting the c.NotebookApp.allow_origin from '*' to 'http://<my-front-end-ip>'. May this could help anyone.

[psychemedia]

I'm seeing a similar error in Chrome, but not Firefox, when trying to view a local HTML file on the path localhost:PORT/view/foo/bar.html that loads local js and local css files. The server is in a Docker container, the browser on host. In Chrome (81.0.4044.129), the js and and css loads give the warning:

Cross-Origin Read Blocking (CORB) blocked cross-origin response http://localhost:PORT/login?next=%2Ffiles%2Ffoo%2Fbar.js with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.

and the error:

Refused to execute script from 'http://localhost:PORT/login?next=%2Ffiles%2Ffoo%2Fbar.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.

Everything works fine in Firefox.

[yashag66]

While trying to load image in markdown cell on Sagemaker jupyter notebook the image fails to get loaded in jupyter notebook.

<img src="imgs/example.PNG">

But the same notebook works fine in jupyterlab on sagemaker itself.

While trying to open the image in jupterlab separately, i'm able to view it but with jupyterhub i get the below CORS error.

Thanks in advance for the help!! 💯

[ayush--s]

workaround using #5067 (comment) works

[davidlinse]

Hi, are there any news on this ?

[boludo00]

I am having the same issue. Using an IFrame to display some static html file which references css and js files in the notebook directory. Can't get around the CORB issue, although it works fine in Firefox.

[nicozhang]

I am having the same issue. Using an IFrame to display some static html file which references css and js files in the notebook directory. Can't get around the CORB issue, although it works fine in Firefox.

That's all because of Chrome browser. You shoud set them to the same domain name ,like aa.bb.com cc.bb.com .