Notebook: Download file functionality is broken in notebook packages version 5.7.6+ (5.7.7, 5.7.8)

I think it's come from https://github.com/jupyter/notebook/blob/9560e0cf4c3a3612f7e0f869035e7e3eeb5853a0/notebook/base/handlers.py#L446-L466

@minrk I am facing the same issue on Chrome and Firefox. Any way around this?

The same issue can be reproduced (On all chrome and firefox browsers) when jupyterhub is hosted behind a Nginx reverse proxy on domain "https://test.domain.com" and internal IP where jupyterhub and notebooks are hosted is 10.0.0.128:8000. And Notebook Servers are spawned in dockers.

Here the Referer: https://test.domain.com and Host: 10.0.0.128:8000
When I try to download a file from the Single user Notebook Server - I get the follwoing Error logs:

[W 2019-05-24 05:14:56.119 SingleUserNotebookApp handlers:442] Blocking Cross Origin request for /ns/user/user1/files/sampleDlsdata.csv.  Referer: https://test.domain.com, Host: 10.0.0.128:8000

[W 2019-05-24 05:14:56.120 SingleUserNotebookApp web:1667] 403 GET /ns/user/user1/files/sampleDlsdata.csv?download=1 (::ffff:10.0.0.109): Block
ing Cross Origin request from https://test.domain.com/ns/user/user1/tree.

[D 2019-05-24 05:14:56.120 SingleUserNotebookApp handlers:260] Using contents: services/contents
[D 2019-05-24 05:14:56.120 SingleUserNotebookApp handlers:260] Using contents: services/contents

[W 2019-05-24 05:14:56.125 SingleUserNotebookApp log:122] 403 GET /ns/user/user1/files/sampleDlsdata.csv?download=1 (tenant1admin@::ffff:10.0.0
.109) 6.55ms

This may be caused due to check_xsrf_cookie() in notebook/files/handlers.py in this commit d7becafd593c2958d8a241928412ddf4ba801a42 as mentioned by @TheBear44 .

Also this commit 7f7bfeefc08568aacd626438e22a6361aa57223a which mentions that /files/ must be downloaded from the same host - which is not possible when running jupyter notebook behind a reverse proxy. Also NotebookApp.allow_origin = "*" also has no effect on check_referer() method, since it checks self.allow_origin == origin

/files/ must be downloaded from the same host - which is not possible when running jupyter notebook behind a reverse proxy.

This statement is not correct. All JupyterHub deployments are run behind a reverse proxy and do not have an issue. The reverse proxy, however, should preserve the Host header of the proxied request, not modify it.

Setting allow_origin = * is an extremely insecure way to avoid this issue, since it opens up your deployment to cross-origin scripting (there's a reason for this check!). Preserving the Host header in the proxy properly is the right fix for this, not disabling security features.

In nginx, this is:

proxy_set_header Host $host

In Apache:

ProxyPreserveHost On

I still keep getting this error on nginx

The important error messages are:

[W 12:12:41.989 NotebookApp] Blocking request with no referer
[W 12:12:41.989 NotebookApp] 403 GET /jupyter/files/img/cafe1.png (172.18.0.1): Blocking request from unknown origin
...
403 GET /jupyter/files/img/cafe1.png (172.18.0.1) 23.27ms referer=None

on the Nginx settings I have:

location /jupyter {
        add_header 'Access-Control-Allow-Origin' '*';
        proxy_pass http://localhost:11317/jupyter;
        proxy_set_header Host $host;
    }

I already restarted Jupyter Docker and nginx.
I tried also tried loading the image on an incognito browser tab, but no success yet.

I even have the settings below on jupyter_notebook_config.py

c.NotebookApp.allow_origin = '*' 

c.NotebookApp.token = ''
c.NotebookApp.allow_remote_access = True

I tested using Chrome and Firefox.

Does anybody know how to make that work with the settings I provided here?

Ok, I could bypass the problem by installing Anaconda3-2018.12-Linux-x86_64.sh instead of Anaconda3-2019.03-Linux-x86_64.sh.

The latter was the one giving this error.

Just got hit by this as well, unclear why. We already have Host for nginx and conda ~latest (via https://repo.continuum.io/miniconda/Miniconda3-latest-Linux-x86_64.sh).

Further info: download .py path works as expected, but not .ipynb

Our JupyterHub deployment is affected by this. Setting

ProxyPreserveHost On

in the Apache config doesn't work, the head of the main Jupyter page appears but there's no file list. There are other "Blocking Cross Origin API request" errors in the JupyterHub log so I presume this has broken things elsewhere.

Likely same issue: https://github.com/jupyterlab/jupyterlab/issues/6149

Confirmed downgrading to 5.7.5 fixes this issue. (We're blocked on other Jupyter bugs for upgrading beyond it.)

I was having the same issue on jupyter-notebook : 6.0.0 and was able to fix it by adding proxy_set_header Host $host; to my nginx conf. Previously it was proxy_set_header Host https://localhost; due to some "tutorial".
I am not aware of the security implications of this (hope they are none) nor if this is a real solution, but it certainly solved my problem.

I had this issue with Jupyter notebook 6.0.3. On top of Host header, I had to set Referer and CORS as well:

 proxy_set_header  Referer  http://$host;
 add_header 'Access-Control-Allow-Origin' "$http_origin";

Just adding what _my_ solution was - I was seeing this 403 error being thrown by Jupyter even though I had set correctly (even NotebookApp.allow_origin = "*" wasn't working). After a lot of headscratching I looked more closely at the log file entries I was seeing:

Nov 14 14:03:35 aviemore jupyter[9021]: [W 14:03:35.684 NotebookApp] Blocking Cross Origin request for /files/testimage.png.  Referer: https://foo.example.com, Host: foo.example.com,foo.example.com

Notice how the value of the Host header is foo.example.com,foo.example.com? This is wrong - what's happened is that I run Jupyter behind nginx as a reverse proxy and I accidentally included _two_ instances of the line proxy_set_header Host $host; What I needed to do was just remove one of the duplicate entries.

Hello, I have been thru this and (https://github.com/jupyter/jupyter/issues/79) as well as the jupyter forums not being able to find out what to do to fix it. Running this as jupyter notebook --NotebookApp.allow_origin=* I vaguely remember working in the past. Am I doing it wrong or is there another reason for why I am getting my images as 302?

@jakubLangr what log entries do you see for the failing requests? Are you running it standalone or behind nginx?

@smcl in the CLI I only see:
[I 13:37:27.089 NotebookApp] 302 GET /files/web/images/epoch002_rec_B.png (127.0.0.1) 0.51ms I am running just standalone, but running it remotely and tunneling in via SSH.