Notebook: 403 Forbidden when opening files in Jupyter

Created on 19 Nov 2019 · 5Comments · Source: jupyter/notebook

Trying to open an image (.PNG) in Jupyter after uploading it but the following error pops up:

403 : Forbidden
The error was:
Blocking Cross Origin request from <Notebook_URL/view/image.png>

The same error can be seen with other file formats such as .html, .pdf etc. XSRF check should be enabled for this to occur.

Jupyter details

sh-4.2$ jupyter --version
jupyter core     : 4.6.1
jupyter-notebook : 5.7.8
qtconsole        : 4.5.5
ipython          : 7.9.0
ipykernel        : 5.1.3
jupyter client   : 5.3.4
jupyter lab      : 1.2.3
nbconvert        : 5.6.1
ipywidgets       : 7.5.1
nbformat         : 4.4.0
traitlets        : 4.3.3

This issue is also seen when downloading a Notebook as .ipynb which is discussed in this issue: https://github.com/jupyter/notebook/issues/4541

Some more info, this is the error log from Jupyter

[W 21:48:46.130 NotebookApp] Blocking Cross Origin request for /files/sagemaker_logo.png.  Referer: <Notebook_Url>, Host: 10.0.44.72:8443

Jupyter Notebook was launched with --port 8443 and hosted on the above IP. According to the error message above, it fails this check when XSRF is enabled: https://github.com/jupyter/notebook/blob/9560e0cf4c3a3612f7e0f869035e7e3eeb5853a0/notebook/base/handlers.py#L415-L428

This check will always fail as the host and referer will never be the same. Furthermore, you cannot set c.NotebookApp.allow_origin='*' as an argument as it checks for an explicit value rather than also checking for wildcard:

https://github.com/jupyter/notebook/blob/9560e0cf4c3a3612f7e0f869035e7e3eeb5853a0/notebook/base/handlers.py#L432-L433

One workaround I found was to set c.NotebookApp.allow_origin='<Notebook_Url>' but that doesn't address the root cause of this issue.

Source

zsaziz

Most helpful comment

The workaround does not work if the notebook is accessed remotely.
In my setup, my notebook server opens a reverse SSH tunnel to a remote server. If the notebook is accessed through the port, error 403 will be issued if people try to access a .pdf but not for .ipynb files.

Even if XSRF is disabled, it does not work.
I've tried setting c.NotebookApp.allow_origin='' to '*', 'localhost' and '<remote URL'.
Accessing it locally through X11 forwarding in a browser works, but not through the tunnel.

Keraldi on 30 Nov 2019

👍3

All 5 comments

Keraldi on 30 Nov 2019

👍3

When I view a file (non ipynb) or download any file, the page show that the cross origin request was blocked. However, any other operations behave normal. I solved this problem by setting the c.NotebookApp.allow_origin from '*' to 'http://<my-front-end-ip>'. May this could help anyone.

chansonzhang on 8 Apr 2020

I'm seeing a similar error in Chrome, but not Firefox, when trying to view a local HTML file on the path localhost:PORT/view/foo/bar.html that loads local js and local css files. The server is in a Docker container, the browser on host. In Chrome (81.0.4044.129), the js and and css loads give the warning:

Cross-Origin Read Blocking (CORB) blocked cross-origin response http://localhost:PORT/login?next=%2Ffiles%2Ffoo%2Fbar.js with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.

and the error:

Refused to execute script from 'http://localhost:PORT/login?next=%2Ffiles%2Ffoo%2Fbar.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.

Everything works fine in Firefox.