upstream/ipython Commit - r19161:d56bcc10

Merge pull request from rgbkrk/csp...

Min RK -

r19161:d56bcc10

parent child

IPython/html/services/security/__init__.py

0 created 644 +4 0

@@ -0,0 +1,4 b''
	1	# URI for the CSP Report. Included here to prevent a cyclic dependency.
	2	# csp_report_uri is needed both by the BaseHandler (for setting the report-uri)
	3	# and by the CSPReportHandler (which depends on the BaseHandler).
	4	csp_report_uri = r"/api/security/csp-report"

IPython/html/services/security/handlers.py

0 created 644 +23 0

@@ -0,0 +1,23 b''
	1	"""Tornado handlers for security logging."""
	2
	3	# Copyright (c) IPython Development Team.
	4	# Distributed under the terms of the Modified BSD License.
	5
	6	from tornado import gen, web
	7
	8	from ...base.handlers import IPythonHandler, json_errors
	9	from . import csp_report_uri
	10
	11	class CSPReportHandler(IPythonHandler):
	12	'''Accepts a content security policy violation report'''
	13	@web.authenticated
	14	@json_errors
	15	def post(self):
	16	'''Log a content security policy violation report'''
	17	csp_report = self.get_json_body()
	18	self.log.warn("Content security violation: %s",
	19	self.request.body.decode('utf8', 'replace'))
	20
	21	default_handlers = [
	22	(csp_report_uri, CSPReportHandler)
	23	]

IPython/html/base/handlers.py

0 +11 -4

             """Base Tornado handlers for the notebook server."""
             # Copyright (c) IPython Development Team.
             # Distributed under the terms of the Modified BSD License.
             import functools
             import json
             import logging
             import os
             import re
             import sys
             import traceback
             try:
                 # py3
                 from http.client import responses
             except ImportError:
                 from httplib import responses
             from jinja2 import TemplateNotFound
             from tornado import web
             try:
                 from tornado.log import app_log
             except ImportError:
                 app_log = logging.getLogger()
             import IPython
             from IPython.utils.sysinfo import get_sys_info
             from IPython.config import Application
             from IPython.utils.path import filefind
             from IPython.utils.py3compat import string_types
             from IPython.html.utils import is_hidden, url_path_join, url_escape
+            from IPython.html.services.security import csp_report_uri
             #-----------------------------------------------------------------------------
             # Top-level handlers
             #-----------------------------------------------------------------------------
             non_alphanum = re.compile(r'[^A-Za-z0-9]')
             sys_info = json.dumps(get_sys_info())
             class AuthenticatedHandler(web.RequestHandler):
                 """A RequestHandler with an authenticated user."""
                 def set_default_headers(self):
                     headers = self.settings.get('headers', {})
-                    if "X-Frame-Options" not in headers:
+                    if "Content-Security-Policy" not in headers:
-                        headers["X-Frame-Options"] = "SAMEORIGIN"
+                        headers["Content-Security-Policy"] = (
+                                "frame-ancestors 'self'; "
+                                # Make sure the report-uri is relative to the base_url
+                                "report-uri " + url_path_join(self.base_url, csp_report_uri) + ";"
+                        )
+                    # Allow for overriding headers
                     for header_name,value in headers.items() :
                         try:
                             self.set_header(header_name, value)
-                        except Exception:
+                        except Exception as e:
                             # tornado raise Exception (not a subclass)
                             # if method is unsupported (websocket and Access-Control-Allow-Origin
                             # for example, so just ignore)
-                            pass
+                            self.log.debug(e)
                 def clear_login_cookie(self):
                     self.clear_cookie(self.cookie_name)
                 def get_current_user(self):
                     user_id = self.get_secure_cookie(self.cookie_name)
                     # For now the user_id should not return empty, but it could eventually
                     if user_id == '':
                         user_id = 'anonymous'
                     if user_id is None:
                         # prevent extra Invalid cookie sig warnings:
                         self.clear_login_cookie()
                         if not self.login_available:
                             user_id = 'anonymous'
                     return user_id
                 @property
                 def cookie_name(self):
                     default_cookie_name = non_alphanum.sub('-', 'username-{}'.format(
                         self.request.host
                     ))
                     return self.settings.get('cookie_name', default_cookie_name)
                 @property
                 def password(self):
                     """our password"""
                     return self.settings.get('password', '')
                 @property
                 def logged_in(self):
                     """Is a user currently logged in?
                     """
                     user = self.get_current_user()
                     return (user and not user == 'anonymous')
                 @property
                 def login_available(self):
                     """May a user proceed to log in?
                     This returns True if login capability is available, irrespective of
                     whether the user is already logged in or not.
                     """
                     return bool(self.settings.get('password', ''))
             class IPythonHandler(AuthenticatedHandler):
                 """IPython-specific extensions to authenticated handling
                 Mostly property shortcuts to IPython-specific settings.
                 """
                 @property
                 def config(self):
                     return self.settings.get('config', None)
                 @property
                 def log(self):
                     """use the IPython log by default, falling back on tornado's logger"""
                     if Application.initialized():
                         return Application.instance().log
                     else:
                         return app_log
                 #---------------------------------------------------------------
                 # URLs
                 #---------------------------------------------------------------
                 @property
                 def version_hash(self):
                     """The version hash to use for cache hints for static files"""
                     return self.settings.get('version_hash', '')
                 @property
                 def mathjax_url(self):
                     return self.settings.get('mathjax_url', '')
                 @property
                 def base_url(self):
                     return self.settings.get('base_url', '/')
                 @property
                 def ws_url(self):
                     return self.settings.get('websocket_url', '')
                 @property
                 def contents_js_source(self):
                     self.log.debug("Using contents: %s", self.settings.get('contents_js_source',
                         'services/contents'))
                     return self.settings.get('contents_js_source', 'services/contents')
                 #---------------------------------------------------------------
                 # Manager objects
                 #---------------------------------------------------------------
                 @property
                 def kernel_manager(self):
                     return self.settings['kernel_manager']
                 @property
                 def contents_manager(self):
                     return self.settings['contents_manager']
                 @property
                 def cluster_manager(self):
                     return self.settings['cluster_manager']
                 @property
                 def session_manager(self):
                     return self.settings['session_manager']
                 @property
                 def terminal_manager(self):
                     return self.settings['terminal_manager']
                 @property
                 def kernel_spec_manager(self):
                     return self.settings['kernel_spec_manager']
                 @property
                 def config_manager(self):
                     return self.settings['config_manager']
                 #---------------------------------------------------------------
                 # CORS
                 #---------------------------------------------------------------
                 @property
                 def allow_origin(self):
                     """Normal Access-Control-Allow-Origin"""
                     return self.settings.get('allow_origin', '')
                 @property
                 def allow_origin_pat(self):
                     """Regular expression version of allow_origin"""
                     return self.settings.get('allow_origin_pat', None)
                 @property
                 def allow_credentials(self):
                     """Whether to set Access-Control-Allow-Credentials"""
                     return self.settings.get('allow_credentials', False)
                 def set_default_headers(self):
                     """Add CORS headers, if defined"""
                     super(IPythonHandler, self).set_default_headers()
                     if self.allow_origin:
                         self.set_header("Access-Control-Allow-Origin", self.allow_origin)
                     elif self.allow_origin_pat:
                         origin = self.get_origin()
                         if origin and self.allow_origin_pat.match(origin):
                             self.set_header("Access-Control-Allow-Origin", origin)
                     if self.allow_credentials:
                         self.set_header("Access-Control-Allow-Credentials", 'true')
                 def get_origin(self):
                     # Handle WebSocket Origin naming convention differences
                     # The difference between version 8 and 13 is that in 8 the
                     # client sends a "Sec-Websocket-Origin" header and in 13 it's
                     # simply "Origin".
                     if "Origin" in self.request.headers:
                         origin = self.request.headers.get("Origin")
                     else:
                         origin = self.request.headers.get("Sec-Websocket-Origin", None)
                     return origin
                 #---------------------------------------------------------------
                 # template rendering
                 #---------------------------------------------------------------
                 def get_template(self, name):
                     """Return the jinja template object for a given name"""
                     return self.settings['jinja2_env'].get_template(name)
                 def render_template(self, name, **ns):
                     ns.update(self.template_namespace)
                     template = self.get_template(name)
                     return template.render(**ns)
                 @property
                 def template_namespace(self):
                     return dict(
                         base_url=self.base_url,
                         ws_url=self.ws_url,
                         logged_in=self.logged_in,
                         login_available=self.login_available,
                         static_url=self.static_url,
                         sys_info=sys_info,
                         contents_js_source=self.contents_js_source,
                         version_hash=self.version_hash,
                     )
                 def get_json_body(self):
                     """Return the body of the request as JSON data."""
                     if not self.request.body:
                         return None
                     # Do we need to call body.decode('utf-8') here?
                     body = self.request.body.strip().decode(u'utf-8')
                     try:
                         model = json.loads(body)
                     except Exception:
                         self.log.debug("Bad JSON: %r", body)
                         self.log.error("Couldn't parse JSON", exc_info=True)
                         raise web.HTTPError(400, u'Invalid JSON in body of request')
                     return model
                 def write_error(self, status_code, **kwargs):
                     """render custom error pages"""
                     exc_info = kwargs.get('exc_info')
                     message = ''
                     status_message = responses.get(status_code, 'Unknown HTTP Error')
                     if exc_info:
                         exception = exc_info[1]
                         # get the custom message, if defined
                         try:
                             message = exception.log_message % exception.args
                         except Exception:
                             pass
                         # construct the custom reason, if defined
                         reason = getattr(exception, 'reason', '')
                         if reason:
                             status_message = reason
                     # build template namespace
                     ns = dict(
                         status_code=status_code,
                         status_message=status_message,
                         message=message,
                         exception=exception,
                     )
                     self.set_header('Content-Type', 'text/html')
                     # render the template
                     try:
                         html = self.render_template('%s.html' % status_code, **ns)
                     except TemplateNotFound:
                         self.log.debug("No template for %d", status_code)
                         html = self.render_template('error.html', **ns)
                     self.write(html)
             class Template404(IPythonHandler):
                 """Render our 404 template"""
                 def prepare(self):
                     raise web.HTTPError(404)
             class AuthenticatedFileHandler(IPythonHandler, web.StaticFileHandler):
                 """static files should only be accessible when logged in"""
                 @web.authenticated
                 def get(self, path):
                     if os.path.splitext(path)[1] == '.ipynb':
                         name = path.rsplit('/', 1)[-1]
                         self.set_header('Content-Type', 'application/json')
                         self.set_header('Content-Disposition','attachment; filename="%s"' % name)
                     return web.StaticFileHandler.get(self, path)
                 def set_headers(self):
                     super(AuthenticatedFileHandler, self).set_headers()
                     # disable browser caching, rely on 304 replies for savings
                     if "v" not in self.request.arguments:
                         self.add_header("Cache-Control", "no-cache")
                 def compute_etag(self):
                     return None
                 def validate_absolute_path(self, root, absolute_path):
                     """Validate and return the absolute path.
                     Requires tornado 3.1
                     Adding to tornado's own handling, forbids the serving of hidden files.
                     """
                     abs_path = super(AuthenticatedFileHandler, self).validate_absolute_path(root, absolute_path)
                     abs_root = os.path.abspath(root)
                     if is_hidden(abs_path, abs_root):
                         self.log.info("Refusing to serve hidden file, via 404 Error")
                         raise web.HTTPError(404)
                     return abs_path
             def json_errors(method):
                 """Decorate methods with this to return GitHub style JSON errors.
                 This should be used on any JSON API on any handler method that can raise HTTPErrors.
                 This will grab the latest HTTPError exception using sys.exc_info
                 and then:
 . Set the HTTP status code based on the HTTPError
 . Create and return a JSON body with a message field describing
                    the error in a human readable form.
                 """
                 @functools.wraps(method)
                 def wrapper(self, *args, **kwargs):
                     try:
                         result = method(self, *args, **kwargs)
                     except web.HTTPError as e:
                         status = e.status_code
                         message = e.log_message
                         self.log.warn(message)
                         self.set_status(e.status_code)
                         self.finish(json.dumps(dict(message=message)))
                     except Exception:
                         self.log.error("Unhandled error in API request", exc_info=True)
                         status = 500
                         message = "Unknown server error"
                         t, value, tb = sys.exc_info()
                         self.set_status(status)
                         tb_text = ''.join(traceback.format_exception(t, value, tb))
                         reply = dict(message=message, traceback=tb_text)
                         self.finish(json.dumps(reply))
                     else:
                         return result
                 return wrapper
             #-----------------------------------------------------------------------------
             # File handler
             #-----------------------------------------------------------------------------
             # to minimize subclass changes:
             HTTPError = web.HTTPError
             class FileFindHandler(web.StaticFileHandler):
                 """subclass of StaticFileHandler for serving files from a search path"""
                 # cache search results, don't search for files more than once
                 _static_paths = {}
                 def set_headers(self):
                     super(FileFindHandler, self).set_headers()
                     # disable browser caching, rely on 304 replies for savings
                     if "v" not in self.request.arguments or \
                             any(self.request.path.startswith(path) for path in self.no_cache_paths):
                         self.add_header("Cache-Control", "no-cache")
                 def initialize(self, path, default_filename=None, no_cache_paths=None):
                     self.no_cache_paths = no_cache_paths or []
                     if isinstance(path, string_types):
                         path = [path]
                     self.root = tuple(
                         os.path.abspath(os.path.expanduser(p)) + os.sep for p in path
                     )
                     self.default_filename = default_filename
                 def compute_etag(self):
                     return None
                 @classmethod
                 def get_absolute_path(cls, roots, path):
                     """locate a file to serve on our static file search path"""
                     with cls._lock:
                         if path in cls._static_paths:
                             return cls._static_paths[path]
                         try:
                             abspath = os.path.abspath(filefind(path, roots))
                         except IOError:
                             # IOError means not found
                             return ''
                         cls._static_paths[path] = abspath
                         return abspath
                 def validate_absolute_path(self, root, absolute_path):
                     """check if the file should be served (raises 404, 403, etc.)"""
                     if absolute_path == '':
                         raise web.HTTPError(404)
                     for root in self.root:
                         if (absolute_path + os.sep).startswith(root):
                             break
                     return super(FileFindHandler, self).validate_absolute_path(root, absolute_path)
             class ApiVersionHandler(IPythonHandler):
                 @json_errors
                 def get(self):
                     # not authenticated, so give as few info as possible
                     self.finish(json.dumps({"version":IPython.__version__}))
             class TrailingSlashHandler(web.RequestHandler):
                 """Simple redirect handler that strips trailing slashes
                 This should be the first, highest priority handler.
                 """
                 def get(self):
                     self.redirect(self.request.uri.rstrip('/'))
                 post = put = get
             class FilesRedirectHandler(IPythonHandler):
                 """Handler for redirecting relative URLs to the /files/ handler"""
                 def get(self, path=''):
                     cm = self.contents_manager
                     if cm.dir_exists(path):
                         # it's a *directory*, redirect to /tree
                         url = url_path_join(self.base_url, 'tree', path)
                     else:
                         orig_path = path
                         # otherwise, redirect to /files
                         parts = path.split('/')
                         if not cm.file_exists(path=path) and 'files' in parts:
                             # redirect without files/ iff it would 404
                             # this preserves pre-2.0-style 'files/' links
                             self.log.warn("Deprecated files/ URL: %s", orig_path)
                             parts.remove('files')
                             path = '/'.join(parts)
                         if not cm.file_exists(path=path):
                             raise web.HTTPError(404)
                         url = url_path_join(self.base_url, 'files', path)
                     url = url_escape(url)
                     self.log.debug("Redirecting %s to %s", self.request.path, url)
                     self.redirect(url)
             #-----------------------------------------------------------------------------
             # URL pattern fragments for re-use
             #-----------------------------------------------------------------------------
             # path matches any number of `/foo[/bar...]` or just `/` or ''
             path_regex = r"(?P<path>(?:(?:/[^/]+)+|/?))"
             notebook_path_regex = r"(?P<path>(?:/[^/]+)+\.ipynb)"
             #-----------------------------------------------------------------------------
             # URL to handler mappings
             #-----------------------------------------------------------------------------
             default_handlers = [
                 (r".*/", TrailingSlashHandler),
                 (r"api", ApiVersionHandler)
             ]

IPython/html/notebookapp.py

0 +1 -1

             # coding: utf-8
             """A tornado based IPython notebook server."""
             # Copyright (c) IPython Development Team.
             # Distributed under the terms of the Modified BSD License.
             from __future__ import print_function
             import base64
             import datetime
             import errno
             import io
             import json
             import logging
             import os
             import random
             import re
             import select
             import signal
             import socket
             import sys
             import threading
             import time
             import webbrowser
             # check for pyzmq 2.1.11
             from IPython.utils.zmqrelated import check_for_zmq
             check_for_zmq('2.1.11', 'IPython.html')
             from jinja2 import Environment, FileSystemLoader
             # Install the pyzmq ioloop. This has to be done before anything else from
             # tornado is imported.
             from zmq.eventloop import ioloop
             ioloop.install()
             # check for tornado 3.1.0
             msg = "The IPython Notebook requires tornado >= 4.0"
             try:
                 import tornado
             except ImportError:
                 raise ImportError(msg)
             try:
                 version_info = tornado.version_info
             except AttributeError:
                 raise ImportError(msg + ", but you have < 1.1.0")
             if version_info < (4,0):
                 raise ImportError(msg + ", but you have %s" % tornado.version)
             from tornado import httpserver
             from tornado import web
             from tornado.log import LogFormatter, app_log, access_log, gen_log
             from IPython.html import (
                 DEFAULT_STATIC_FILES_PATH,
                 DEFAULT_TEMPLATE_PATH_LIST,
             )
             from .base.handlers import Template404
             from .log import log_request
             from .services.kernels.kernelmanager import MappingKernelManager
             from .services.contents.manager import ContentsManager
             from .services.contents.filemanager import FileContentsManager
             from .services.clusters.clustermanager import ClusterManager
             from .services.sessions.sessionmanager import SessionManager
             from .base.handlers import AuthenticatedFileHandler, FileFindHandler
             from IPython.config import Config
             from IPython.config.application import catch_config_error, boolean_flag
             from IPython.core.application import (
                 BaseIPythonApplication, base_flags, base_aliases,
             )
             from IPython.core.profiledir import ProfileDir
             from IPython.kernel import KernelManager
             from IPython.kernel.kernelspec import KernelSpecManager
             from IPython.kernel.zmq.session import default_secure, Session
             from IPython.nbformat.sign import NotebookNotary
             from IPython.utils.importstring import import_item
             from IPython.utils import submodule
             from IPython.utils.process import check_pid
             from IPython.utils.traitlets import (
                 Dict, Unicode, Integer, List, Bool, Bytes, Instance,
                 DottedObjectName, TraitError,
             )
             from IPython.utils import py3compat
             from IPython.utils.path import filefind, get_ipython_dir
             from IPython.utils.sysinfo import get_sys_info
             from .utils import url_path_join
             #-----------------------------------------------------------------------------
             # Module globals
             #-----------------------------------------------------------------------------
             _examples = """
             ipython notebook                       # start the notebook
             ipython notebook --profile=sympy       # use the sympy profile
             ipython notebook --certfile=mycert.pem # use SSL/TLS certificate
             """
             #-----------------------------------------------------------------------------
             # Helper functions
             #-----------------------------------------------------------------------------
             def random_ports(port, n):
                 """Generate a list of n random ports near the given port.
                 The first 5 ports will be sequential, and the remaining n-5 will be
                 randomly selected in the range [port-2*n, port+2*n].
                 """
                 for i in range(min(5, n)):
                     yield port + i
                 for i in range(n-5):
                     yield max(1, port + random.randint(-2*n, 2*n))
             def load_handlers(name):
                 """Load the (URL pattern, handler) tuples for each component."""
                 name = 'IPython.html.' + name
                 mod = __import__(name, fromlist=['default_handlers'])
                 return mod.default_handlers
             #-----------------------------------------------------------------------------
             # The Tornado web application
             #-----------------------------------------------------------------------------
             class NotebookWebApplication(web.Application):
                 def __init__(self, ipython_app, kernel_manager, contents_manager,
                              cluster_manager, session_manager, kernel_spec_manager,
                              config_manager, log,
                              base_url, default_url, settings_overrides, jinja_env_options):
                     settings = self.init_settings(
                         ipython_app, kernel_manager, contents_manager, cluster_manager,
                         session_manager, kernel_spec_manager, config_manager, log, base_url,
                         default_url, settings_overrides, jinja_env_options)
                     handlers = self.init_handlers(settings)
                     super(NotebookWebApplication, self).__init__(handlers, **settings)
                 def init_settings(self, ipython_app, kernel_manager, contents_manager,
                                   cluster_manager, session_manager, kernel_spec_manager,
                                   config_manager,
                                   log, base_url, default_url, settings_overrides,
                                   jinja_env_options=None):
                     _template_path = settings_overrides.get(
                         "template_path",
                         ipython_app.template_file_path,
                     )
                     if isinstance(_template_path, str):
                         _template_path = (_template_path,)
                     template_path = [os.path.expanduser(path) for path in _template_path]
                     jenv_opt = jinja_env_options if jinja_env_options else {}
                     env = Environment(loader=FileSystemLoader(template_path), **jenv_opt)
                     sys_info = get_sys_info()
                     if sys_info['commit_source'] == 'repository':
                         # don't cache (rely on 304) when working from master
                         version_hash = ''
                     else:
                         # reset the cache on server restart
                         version_hash = datetime.datetime.now().strftime("%Y%m%d%H%M%S")
                     settings = dict(
                         # basics
                         log_function=log_request,
                         base_url=base_url,
                         default_url=default_url,
                         template_path=template_path,
                         static_path=ipython_app.static_file_path,
                         static_handler_class = FileFindHandler,
                         static_url_prefix = url_path_join(base_url,'/static/'),
                         static_handler_args = {
                             # don't cache custom.js
                             'no_cache_paths': [url_path_join(base_url, 'static', 'custom')],
                         },
                         version_hash=version_hash,
                         # authentication
                         cookie_secret=ipython_app.cookie_secret,
                         login_url=url_path_join(base_url,'/login'),
                         password=ipython_app.password,
                         # managers
                         kernel_manager=kernel_manager,
                         contents_manager=contents_manager,
                         cluster_manager=cluster_manager,
                         session_manager=session_manager,
                         kernel_spec_manager=kernel_spec_manager,
                         config_manager=config_manager,
                         # IPython stuff
                         nbextensions_path = ipython_app.nbextensions_path,
                         websocket_url=ipython_app.websocket_url,
                         mathjax_url=ipython_app.mathjax_url,
                         config=ipython_app.config,
                         jinja2_env=env,
                         terminals_available=False,  # Set later if terminals are available
                     )
                     # allow custom overrides for the tornado web app.
                     settings.update(settings_overrides)
                     return settings
                 def init_handlers(self, settings):
                     """Load the (URL pattern, handler) tuples for each component."""
                     # Order matters. The first handler to match the URL will handle the request.
                     handlers = []
                     handlers.extend(load_handlers('tree.handlers'))
                     handlers.extend(load_handlers('auth.login'))
                     handlers.extend(load_handlers('auth.logout'))
                     handlers.extend(load_handlers('files.handlers'))
                     handlers.extend(load_handlers('notebook.handlers'))
                     handlers.extend(load_handlers('nbconvert.handlers'))
                     handlers.extend(load_handlers('kernelspecs.handlers'))
                     handlers.extend(load_handlers('edit.handlers'))
                     handlers.extend(load_handlers('services.config.handlers'))
                     handlers.extend(load_handlers('services.kernels.handlers'))
                     handlers.extend(load_handlers('services.contents.handlers'))
                     handlers.extend(load_handlers('services.clusters.handlers'))
                     handlers.extend(load_handlers('services.sessions.handlers'))
                     handlers.extend(load_handlers('services.nbconvert.handlers'))
                     handlers.extend(load_handlers('services.kernelspecs.handlers'))
+                    handlers.extend(load_handlers('services.security.handlers'))
                     handlers.append(
                         (r"/nbextensions/(.*)", FileFindHandler, {
                             'path': settings['nbextensions_path'],
                             'no_cache_paths': ['/'], # don't cache anything in nbextensions
                         }),
                     )
                     # register base handlers last
                     handlers.extend(load_handlers('base.handlers'))
                     # set the URL that will be redirected from `/`
                     handlers.append(
                         (r'/?', web.RedirectHandler, {
                             'url' : url_path_join(settings['base_url'], settings['default_url']),
                             'permanent': False, # want 302, not 301
                         })
                     )
                     # prepend base_url onto the patterns that we match
                     new_handlers = []
                     for handler in handlers:
                         pattern = url_path_join(settings['base_url'], handler[0])
                         new_handler = tuple([pattern] + list(handler[1:]))
                         new_handlers.append(new_handler)
                     # add 404 on the end, which will catch everything that falls through
                     new_handlers.append((r'(.*)', Template404))
                     return new_handlers
             class NbserverListApp(BaseIPythonApplication):
                 description="List currently running notebook servers in this profile."
                 flags = dict(
                     json=({'NbserverListApp': {'json': True}},
                           "Produce machine-readable JSON output."),
                 )
                 json = Bool(False, config=True,
                       help="If True, each line of output will be a JSON object with the "
                               "details from the server info file.")
                 def start(self):
                     if not self.json:
                         print("Currently running servers:")
                     for serverinfo in list_running_servers(self.profile):
                         if self.json:
                             print(json.dumps(serverinfo))
                         else:
                             print(serverinfo['url'], "::", serverinfo['notebook_dir'])
             #-----------------------------------------------------------------------------
             # Aliases and Flags
             #-----------------------------------------------------------------------------
             flags = dict(base_flags)
             flags['no-browser']=(
                 {'NotebookApp' : {'open_browser' : False}},
                 "Don't open the notebook in a browser after startup."
             )
             flags['pylab']=(
                 {'NotebookApp' : {'pylab' : 'warn'}},
                 "DISABLED: use %pylab or %matplotlib in the notebook to enable matplotlib."
             )
             flags['no-mathjax']=(
                 {'NotebookApp' : {'enable_mathjax' : False}},
                 """Disable MathJax
                 MathJax is the javascript library IPython uses to render math/LaTeX. It is
                 very large, so you may want to disable it if you have a slow internet
                 connection, or for offline use of the notebook.
                 When disabled, equations etc. will appear as their untransformed TeX source.
                 """
             )
             # Add notebook manager flags
             flags.update(boolean_flag('script', 'FileContentsManager.save_script',
                            'DEPRECATED, IGNORED',
                            'DEPRECATED, IGNORED'))
             aliases = dict(base_aliases)
             aliases.update({
                 'ip': 'NotebookApp.ip',
                 'port': 'NotebookApp.port',
                 'port-retries': 'NotebookApp.port_retries',
                 'transport': 'KernelManager.transport',
                 'keyfile': 'NotebookApp.keyfile',
                 'certfile': 'NotebookApp.certfile',
                 'notebook-dir': 'NotebookApp.notebook_dir',
                 'browser': 'NotebookApp.browser',
                 'pylab': 'NotebookApp.pylab',
             })
             #-----------------------------------------------------------------------------
             # NotebookApp
             #-----------------------------------------------------------------------------
             class NotebookApp(BaseIPythonApplication):
                 name = 'ipython-notebook'
                 description = """
                     The IPython HTML Notebook.
                     This launches a Tornado based HTML Notebook Server that serves up an
                     HTML5/Javascript Notebook client.
                 """
                 examples = _examples
                 aliases = aliases
                 flags = flags
                 classes = [
                     KernelManager, ProfileDir, Session, MappingKernelManager,
                     ContentsManager, FileContentsManager, NotebookNotary,
                 ]
                 flags = Dict(flags)
                 aliases = Dict(aliases)
                 subcommands = dict(
                     list=(NbserverListApp, NbserverListApp.description.splitlines()[0]),
                 )
                 ipython_kernel_argv = List(Unicode)
                 _log_formatter_cls = LogFormatter
                 def _log_level_default(self):
                     return logging.INFO
                 def _log_datefmt_default(self):
                     """Exclude date from default date format"""
                     return "%H:%M:%S"
                 def _log_format_default(self):
                     """override default log format to include time"""
                     return u"%(color)s[%(levelname)1.1s %(asctime)s.%(msecs).03d %(name)s]%(end_color)s %(message)s"
                 # create requested profiles by default, if they don't exist:
                 auto_create = Bool(True)
                 # file to be opened in the notebook server
                 file_to_run = Unicode('', config=True)
                 # Network related information
                 allow_origin = Unicode('', config=True,
                     help="""Set the Access-Control-Allow-Origin header
                     Use '*' to allow any origin to access your server.
                     Takes precedence over allow_origin_pat.
                     """
                 )
                 allow_origin_pat = Unicode('', config=True,
                     help="""Use a regular expression for the Access-Control-Allow-Origin header
                     Requests from an origin matching the expression will get replies with:
                         Access-Control-Allow-Origin: origin
                     where `origin` is the origin of the request.
                     Ignored if allow_origin is set.
                     """
                 )
                 allow_credentials = Bool(False, config=True,
                     help="Set the Access-Control-Allow-Credentials: true header"
                 )
                 default_url = Unicode('/tree', config=True,
                     help="The default URL to redirect to from `/`"
                 )
                 ip = Unicode('localhost', config=True,
                     help="The IP address the notebook server will listen on."
                 )
                 def _ip_changed(self, name, old, new):
                     if new == u'*': self.ip = u''
                 port = Integer(8888, config=True,
                     help="The port the notebook server will listen on."
                 )
                 port_retries = Integer(50, config=True,
                     help="The number of additional ports to try if the specified port is not available."
                 )
                 certfile = Unicode(u'', config=True,
                     help="""The full path to an SSL/TLS certificate file."""
                 )
                 keyfile = Unicode(u'', config=True,
                     help="""The full path to a private key file for usage with SSL/TLS."""
                 )
                 cookie_secret_file = Unicode(config=True,
                     help="""The file where the cookie secret is stored."""
                 )
                 def _cookie_secret_file_default(self):
                     if self.profile_dir is None:
                         return ''
                     return os.path.join(self.profile_dir.security_dir, 'notebook_cookie_secret')
                 cookie_secret = Bytes(b'', config=True,
                     help="""The random bytes used to secure cookies.
                     By default this is a new random number every time you start the Notebook.
                     Set it to a value in a config file to enable logins to persist across server sessions.
                     Note: Cookie secrets should be kept private, do not share config files with
                     cookie_secret stored in plaintext (you can read the value from a file).
                     """
                 )
                 def _cookie_secret_default(self):
                     if os.path.exists(self.cookie_secret_file):
                         with io.open(self.cookie_secret_file, 'rb') as f:
                             return f.read()
                     else:
                         secret = base64.encodestring(os.urandom(1024))
                         self._write_cookie_secret_file(secret)
                         return secret
                 def _write_cookie_secret_file(self, secret):
                     """write my secret to my secret_file"""
                     self.log.info("Writing notebook server cookie secret to %s", self.cookie_secret_file)
                     with io.open(self.cookie_secret_file, 'wb') as f:
                         f.write(secret)
                     try:
                         os.chmod(self.cookie_secret_file, 0o600)
                     except OSError:
                         self.log.warn(
                             "Could not set permissions on %s",
                             self.cookie_secret_file
                         )
                 password = Unicode(u'', config=True,
                                   help="""Hashed password to use for web authentication.
                                   To generate, type in a python/IPython shell:
                                     from IPython.lib import passwd; passwd()
                                   The string should be of the form type:salt:hashed-password.
                                   """
                 )
                 open_browser = Bool(True, config=True,
                                     help="""Whether to open in a browser after starting.
                                     The specific browser used is platform dependent and
                                     determined by the python standard library `webbrowser`
                                     module, unless it is overridden using the --browser
                                     (NotebookApp.browser) configuration option.
                                     """)
                 browser = Unicode(u'', config=True,
                                   help="""Specify what command to use to invoke a web
                                   browser when opening the notebook. If not specified, the
                                   default browser will be determined by the `webbrowser`
                                   standard library module, which allows setting of the
                                   BROWSER environment variable to override it.
                                   """)
                 webapp_settings = Dict(config=True,
                     help="DEPRECATED, use tornado_settings"
                 )
                 def _webapp_settings_changed(self, name, old, new):
                     self.log.warn("\n    webapp_settings is deprecated, use tornado_settings.\n")
                     self.tornado_settings = new
                 tornado_settings = Dict(config=True,
                         help="Supply overrides for the tornado.web.Application that the "
                              "IPython notebook uses.")
                 jinja_environment_options = Dict(config=True,
                         help="Supply extra arguments that will be passed to Jinja environment.")
                 enable_mathjax = Bool(True, config=True,
                     help="""Whether to enable MathJax for typesetting math/TeX
                     MathJax is the javascript library IPython uses to render math/LaTeX. It is
                     very large, so you may want to disable it if you have a slow internet
                     connection, or for offline use of the notebook.
                     When disabled, equations etc. will appear as their untransformed TeX source.
                     """
                 )
                 def _enable_mathjax_changed(self, name, old, new):
                     """set mathjax url to empty if mathjax is disabled"""
                     if not new:
                         self.mathjax_url = u''
                 base_url = Unicode('/', config=True,
                                            help='''The base URL for the notebook server.
                                            Leading and trailing slashes can be omitted,
                                            and will automatically be added.
                                            ''')
                 def _base_url_changed(self, name, old, new):
                     if not new.startswith('/'):
                         self.base_url = '/'+new
                     elif not new.endswith('/'):
                         self.base_url = new+'/'
                 base_project_url = Unicode('/', config=True, help="""DEPRECATED use base_url""")
                 def _base_project_url_changed(self, name, old, new):
                     self.log.warn("base_project_url is deprecated, use base_url")
                     self.base_url = new
                 extra_static_paths = List(Unicode, config=True,
                     help="""Extra paths to search for serving static files.
                     This allows adding javascript/css to be available from the notebook server machine,
                     or overriding individual files in the IPython"""
                 )
                 def _extra_static_paths_default(self):
                     return [os.path.join(self.profile_dir.location, 'static')]
                 @property
                 def static_file_path(self):
                     """return extra paths + the default location"""
                     return self.extra_static_paths + [DEFAULT_STATIC_FILES_PATH]
                 extra_template_paths = List(Unicode, config=True,
                     help="""Extra paths to search for serving jinja templates.
                     Can be used to override templates from IPython.html.templates."""
                 )
                 def _extra_template_paths_default(self):
                     return []
                 @property
                 def template_file_path(self):
                     """return extra paths + the default locations"""
                     return self.extra_template_paths + DEFAULT_TEMPLATE_PATH_LIST
                 nbextensions_path = List(Unicode, config=True,
                     help="""paths for Javascript extensions. By default, this is just IPYTHONDIR/nbextensions"""
                 )
                 def _nbextensions_path_default(self):
                     return [os.path.join(get_ipython_dir(), 'nbextensions')]
                 websocket_url = Unicode("", config=True,
                     help="""The base URL for websockets,
                     if it differs from the HTTP server (hint: it almost certainly doesn't).
                     Should be in the form of an HTTP origin: ws[s]://hostname[:port]
                     """
                 )
                 mathjax_url = Unicode("", config=True,
                     help="""The url for MathJax.js."""
                 )
                 def _mathjax_url_default(self):
                     if not self.enable_mathjax:
                         return u''
                     static_url_prefix = self.tornado_settings.get("static_url_prefix",
                                      url_path_join(self.base_url, "static")
                     )
                     # try local mathjax, either in nbextensions/mathjax or static/mathjax
                     for (url_prefix, search_path) in [
                         (url_path_join(self.base_url, "nbextensions"), self.nbextensions_path),
                         (static_url_prefix, self.static_file_path),
                     ]:
                         self.log.debug("searching for local mathjax in %s", search_path)
                         try:
                             mathjax = filefind(os.path.join('mathjax', 'MathJax.js'), search_path)
                         except IOError:
                             continue
                         else:
                             url = url_path_join(url_prefix, u"mathjax/MathJax.js")
                             self.log.info("Serving local MathJax from %s at %s", mathjax, url)
                             return url
                     # no local mathjax, serve from CDN
                     url = u"https://cdn.mathjax.org/mathjax/latest/MathJax.js"
                     self.log.info("Using MathJax from CDN: %s", url)
                     return url
                 def _mathjax_url_changed(self, name, old, new):
                     if new and not self.enable_mathjax:
                         # enable_mathjax=False overrides mathjax_url
                         self.mathjax_url = u''
                     else:
                         self.log.info("Using MathJax: %s", new)
                 contents_manager_class = DottedObjectName('IPython.html.services.contents.filemanager.FileContentsManager',
                     config=True,
                     help='The notebook manager class to use.'
                 )
                 kernel_manager_class = DottedObjectName('IPython.html.services.kernels.kernelmanager.MappingKernelManager',
                     config=True,
                     help='The kernel manager class to use.'
                 )
                 session_manager_class = DottedObjectName('IPython.html.services.sessions.sessionmanager.SessionManager',
                     config=True,
                     help='The session manager class to use.'
                 )
                 cluster_manager_class = DottedObjectName('IPython.html.services.clusters.clustermanager.ClusterManager',
                     config=True,
                     help='The cluster manager class to use.'
                 )
                 config_manager_class = DottedObjectName('IPython.html.services.config.manager.ConfigManager',
                     config = True,
                     help='The config manager class to use'
                 )
                 kernel_spec_manager = Instance(KernelSpecManager)
                 def _kernel_spec_manager_default(self):
                     return KernelSpecManager(ipython_dir=self.ipython_dir)
                 kernel_spec_manager_class = DottedObjectName('IPython.kernel.kernelspec.KernelSpecManager',
                         config=True,
                         help="""
                         The kernel spec manager class to use. Should be a subclass
                         of `IPython.kernel.kernelspec.KernelSpecManager`.
                         The Api of KernelSpecManager is provisional and might change
                         without warning between this version of IPython and the next stable one.
                         """)
                 trust_xheaders = Bool(False, config=True,
                     help=("Whether to trust or not X-Scheme/X-Forwarded-Proto and X-Real-Ip/X-Forwarded-For headers"
                           "sent by the upstream reverse proxy. Necessary if the proxy handles SSL")
                 )
                 info_file = Unicode()
                 def _info_file_default(self):
                     info_file = "nbserver-%s.json"%os.getpid()
                     return os.path.join(self.profile_dir.security_dir, info_file)
                 pylab = Unicode('disabled', config=True,
                     help="""
                     DISABLED: use %pylab or %matplotlib in the notebook to enable matplotlib.
                     """
                 )
                 def _pylab_changed(self, name, old, new):
                     """when --pylab is specified, display a warning and exit"""
                     if new != 'warn':
                         backend = ' %s' % new
                     else:
                         backend = ''
                     self.log.error("Support for specifying --pylab on the command line has been removed.")
                     self.log.error(
                         "Please use `%pylab{0}` or `%matplotlib{0}` in the notebook itself.".format(backend)
                     )
                     self.exit(1)
                 notebook_dir = Unicode(config=True,
                     help="The directory to use for notebooks and kernels."
                 )
                 def _notebook_dir_default(self):
                     if self.file_to_run:
                         return os.path.dirname(os.path.abspath(self.file_to_run))
                     else:
                         return py3compat.getcwd()
                 def _notebook_dir_changed(self, name, old, new):
                     """Do a bit of validation of the notebook dir."""
                     if not os.path.isabs(new):
                         # If we receive a non-absolute path, make it absolute.
                         self.notebook_dir = os.path.abspath(new)
                         return
                     if not os.path.isdir(new):
                         raise TraitError("No such notebook dir: %r" % new)
                     # setting App.notebook_dir implies setting notebook and kernel dirs as well
                     self.config.FileContentsManager.root_dir = new
                     self.config.MappingKernelManager.root_dir = new
                 def parse_command_line(self, argv=None):
                     super(NotebookApp, self).parse_command_line(argv)
                     if self.extra_args:
                         arg0 = self.extra_args[0]
                         f = os.path.abspath(arg0)
                         self.argv.remove(arg0)
                         if not os.path.exists(f):
                             self.log.critical("No such file or directory: %s", f)
                             self.exit(1)
                         # Use config here, to ensure that it takes higher priority than
                         # anything that comes from the profile.
                         c = Config()
                         if os.path.isdir(f):
                             c.NotebookApp.notebook_dir = f
                         elif os.path.isfile(f):
                             c.NotebookApp.file_to_run = f
                         self.update_config(c)
                 def init_kernel_argv(self):
                     """add the profile-dir to arguments to be passed to IPython kernels"""
                     # FIXME: remove special treatment of IPython kernels
                     # Kernel should get *absolute* path to profile directory
                     self.ipython_kernel_argv = ["--profile-dir", self.profile_dir.location]
                 def init_configurables(self):
                     # force Session default to be secure
                     default_secure(self.config)
                     kls = import_item(self.kernel_spec_manager_class)
                     self.kernel_spec_manager = kls(ipython_dir=self.ipython_dir)
                     kls = import_item(self.kernel_manager_class)
                     self.kernel_manager = kls(
                         parent=self, log=self.log, ipython_kernel_argv=self.ipython_kernel_argv,
                         connection_dir = self.profile_dir.security_dir,
                     )
                     kls = import_item(self.contents_manager_class)
                     self.contents_manager = kls(parent=self, log=self.log)
                     kls = import_item(self.session_manager_class)
                     self.session_manager = kls(parent=self, log=self.log,
                                                kernel_manager=self.kernel_manager,
                                                contents_manager=self.contents_manager)
                     kls = import_item(self.cluster_manager_class)
                     self.cluster_manager = kls(parent=self, log=self.log)
                     self.cluster_manager.update_profiles()
                     kls = import_item(self.config_manager_class)
                     self.config_manager = kls(parent=self, log=self.log,
                                               profile_dir=self.profile_dir.location)
                 def init_logging(self):
                     # This prevents double log messages because tornado use a root logger that
                     # self.log is a child of. The logging module dipatches log messages to a log
                     # and all of its ancenstors until propagate is set to False.
                     self.log.propagate = False
                     for log in app_log, access_log, gen_log:
                         # consistent log output name (NotebookApp instead of tornado.access, etc.)
                         log.name = self.log.name
                     # hook up tornado 3's loggers to our app handlers
                     logger = logging.getLogger('tornado')
                     logger.propagate = True
                     logger.parent = self.log
                     logger.setLevel(self.log.level)
                 def init_webapp(self):
                     """initialize tornado webapp and httpserver"""
                     self.tornado_settings['allow_origin'] = self.allow_origin
                     if self.allow_origin_pat:
                         self.tornado_settings['allow_origin_pat'] = re.compile(self.allow_origin_pat)
                     self.tornado_settings['allow_credentials'] = self.allow_credentials
                     self.web_app = NotebookWebApplication(
                         self, self.kernel_manager, self.contents_manager,
                         self.cluster_manager, self.session_manager, self.kernel_spec_manager,
                         self.config_manager,
                         self.log, self.base_url, self.default_url, self.tornado_settings,
                         self.jinja_environment_options
                     )
                     if self.certfile:
                         ssl_options = dict(certfile=self.certfile)
                         if self.keyfile:
                             ssl_options['keyfile'] = self.keyfile
                     else:
                         ssl_options = None
                     self.web_app.password = self.password
                     self.http_server = httpserver.HTTPServer(self.web_app, ssl_options=ssl_options,
                                                              xheaders=self.trust_xheaders)
                     if not self.ip:
                         warning = "WARNING: The notebook server is listening on all IP addresses"
                         if ssl_options is None:
                             self.log.critical(warning + " and not using encryption. This "
                                 "is not recommended.")
                         if not self.password:
                             self.log.critical(warning + " and not using authentication. "
                                 "This is highly insecure and not recommended.")
                     success = None
                     for port in random_ports(self.port, self.port_retries+1):
                         try:
                             self.http_server.listen(port, self.ip)
                         except socket.error as e:
                             if e.errno == errno.EADDRINUSE:
                                 self.log.info('The port %i is already in use, trying another random port.' % port)
                                 continue
                             elif e.errno in (errno.EACCES, getattr(errno, 'WSAEACCES', errno.EACCES)):
                                 self.log.warn("Permission to listen on port %i denied" % port)
                                 continue
                             else:
                                 raise
                         else:
                             self.port = port
                             success = True
                             break
                     if not success:
                         self.log.critical('ERROR: the notebook server could not be started because '
                                           'no available port could be found.')
                         self.exit(1)
                 @property
                 def display_url(self):
                     ip = self.ip if self.ip else '[all ip addresses on your system]'
                     return self._url(ip)
                 @property
                 def connection_url(self):
                     ip = self.ip if self.ip else 'localhost'
                     return self._url(ip)
                 def _url(self, ip):
                     proto = 'https' if self.certfile else 'http'
                     return "%s://%s:%i%s" % (proto, ip, self.port, self.base_url)
                 def init_terminals(self):
                     try:
                         from .terminal import initialize
                         initialize(self.web_app)
                         self.web_app.settings['terminals_available'] = True
                     except ImportError as e:
                         self.log.info("Terminals not available (error was %s)", e)
                 def init_signal(self):
                     if not sys.platform.startswith('win'):
                         signal.signal(signal.SIGINT, self._handle_sigint)
                     signal.signal(signal.SIGTERM, self._signal_stop)
                     if hasattr(signal, 'SIGUSR1'):
                         # Windows doesn't support SIGUSR1
                         signal.signal(signal.SIGUSR1, self._signal_info)
                     if hasattr(signal, 'SIGINFO'):
                         # only on BSD-based systems
                         signal.signal(signal.SIGINFO, self._signal_info)
                 def _handle_sigint(self, sig, frame):
                     """SIGINT handler spawns confirmation dialog"""
                     # register more forceful signal handler for ^C^C case
                     signal.signal(signal.SIGINT, self._signal_stop)
                     # request confirmation dialog in bg thread, to avoid
                     # blocking the App
                     thread = threading.Thread(target=self._confirm_exit)
                     thread.daemon = True
                     thread.start()
                 def _restore_sigint_handler(self):
                     """callback for restoring original SIGINT handler"""
                     signal.signal(signal.SIGINT, self._handle_sigint)
                 def _confirm_exit(self):
                     """confirm shutdown on ^C
                     A second ^C, or answering 'y' within 5s will cause shutdown,
                     otherwise original SIGINT handler will be restored.
                     This doesn't work on Windows.
                     """
                     info = self.log.info
                     info('interrupted')
                     print(self.notebook_info())
                     sys.stdout.write("Shutdown this notebook server (y/[n])? ")
                     sys.stdout.flush()
                     r,w,x = select.select([sys.stdin], [], [], 5)
                     if r:
                         line = sys.stdin.readline()
                         if line.lower().startswith('y') and 'n' not in line.lower():
                             self.log.critical("Shutdown confirmed")
                             ioloop.IOLoop.instance().stop()
                             return
                     else:
                         print("No answer for 5s:", end=' ')
                     print("resuming operation...")
                     # no answer, or answer is no:
                     # set it back to original SIGINT handler
                     # use IOLoop.add_callback because signal.signal must be called
                     # from main thread
                     ioloop.IOLoop.instance().add_callback(self._restore_sigint_handler)
                 def _signal_stop(self, sig, frame):
                     self.log.critical("received signal %s, stopping", sig)
                     ioloop.IOLoop.instance().stop()
                 def _signal_info(self, sig, frame):
                     print(self.notebook_info())
                 def init_components(self):
                     """Check the components submodule, and warn if it's unclean"""
                     status = submodule.check_submodule_status()
                     if status == 'missing':
                         self.log.warn("components submodule missing, running `git submodule update`")
                         submodule.update_submodules(submodule.ipython_parent())
                     elif status == 'unclean':
                         self.log.warn("components submodule unclean, you may see 404s on static/components")
                         self.log.warn("run `setup.py submodule` or `git submodule update` to update")
                 @catch_config_error
                 def initialize(self, argv=None):
                     super(NotebookApp, self).initialize(argv)
                     self.init_logging()
                     self.init_kernel_argv()
                     self.init_configurables()
                     self.init_components()
                     self.init_webapp()
                     self.init_terminals()
                     self.init_signal()
                 def cleanup_kernels(self):
                     """Shutdown all kernels.
                     The kernels will shutdown themselves when this process no longer exists,
                     but explicit shutdown allows the KernelManagers to cleanup the connection files.
                     """
                     self.log.info('Shutting down kernels')
                     self.kernel_manager.shutdown_all()
                 def notebook_info(self):
                     "Return the current working directory and the server url information"
                     info = self.contents_manager.info_string() + "\n"
                     info += "%d active kernels \n" % len(self.kernel_manager._kernels)
                     return info + "The IPython Notebook is running at: %s" % self.display_url
                 def server_info(self):
                     """Return a JSONable dict of information about this server."""
                     return {'url': self.connection_url,
                             'hostname': self.ip if self.ip else 'localhost',
                             'port': self.port,
                             'secure': bool(self.certfile),
                             'base_url': self.base_url,
                             'notebook_dir': os.path.abspath(self.notebook_dir),
                             'pid': os.getpid()
                            }
                 def write_server_info_file(self):
                     """Write the result of server_info() to the JSON file info_file."""
                     with open(self.info_file, 'w') as f:
                         json.dump(self.server_info(), f, indent=2)
                 def remove_server_info_file(self):
                     """Remove the nbserver-<pid>.json file created for this server.
                     Ignores the error raised when the file has already been removed.
                     """
                     try:
                         os.unlink(self.info_file)
                     except OSError as e:
                         if e.errno != errno.ENOENT:
                             raise
                 def start(self):
                     """ Start the IPython Notebook server app, after initialization
                     This method takes no arguments so all configuration and initialization
                     must be done prior to calling this method."""
                     if self.subapp is not None:
                         return self.subapp.start()
                     info = self.log.info
                     for line in self.notebook_info().split("\n"):
                         info(line)
                     info("Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).")
                     self.write_server_info_file()
                     if self.open_browser or self.file_to_run:
                         try:
                             browser = webbrowser.get(self.browser or None)
                         except webbrowser.Error as e:
                             self.log.warn('No web browser found: %s.' % e)
                             browser = None
                         if self.file_to_run:
                             if not os.path.exists(self.file_to_run):
                                 self.log.critical("%s does not exist" % self.file_to_run)
                                 self.exit(1)
                             relpath = os.path.relpath(self.file_to_run, self.notebook_dir)
                             uri = url_path_join('notebooks', *relpath.split(os.sep))
                         else:
                             uri = 'tree'
                         if browser:
                             b = lambda : browser.open(url_path_join(self.connection_url, uri),
                                                       new=2)
                             threading.Thread(target=b).start()
                     try:
                         ioloop.IOLoop.instance().start()
                     except KeyboardInterrupt:
                         info("Interrupted...")
                     finally:
                         self.cleanup_kernels()
                         self.remove_server_info_file()
             def list_running_servers(profile='default'):
                 """Iterate over the server info files of running notebook servers.
                 Given a profile name, find nbserver-* files in the security directory of
                 that profile, and yield dicts of their information, each one pertaining to
                 a currently running notebook server instance.
                 """
                 pd = ProfileDir.find_profile_dir_by_name(get_ipython_dir(), name=profile)
                 for file in os.listdir(pd.security_dir):
                     if file.startswith('nbserver-'):
                         with io.open(os.path.join(pd.security_dir, file), encoding='utf-8') as f:
                             info = json.load(f)
                         # Simple check whether that process is really still running
                         if check_pid(info['pid']):
                             yield info
                         else:
                             # If the process has died, try to delete its info file
                             try:
                                 os.unlink(file)
                             except OSError:
                                 pass  # TODO: This should warn or log or something
             #-----------------------------------------------------------------------------
             # Main entry point
             #-----------------------------------------------------------------------------
             launch_new_instance = NotebookApp.launch_instance

IPython/html/services/kernels/tests/test_kernels_api.py

0 +8 -2

             """Test the kernels service API."""
             import json
             import requests
             from IPython.html.utils import url_path_join
             from IPython.html.tests.launchnotebook import NotebookTestBase, assert_http_error
             class KernelAPI(object):
                 """Wrapper for kernel REST API requests"""
                 def __init__(self, base_url):
                     self.base_url = base_url
                 def _req(self, verb, path, body=None):
                     response = requests.request(verb,
                             url_path_join(self.base_url, 'api/kernels', path), data=body)
                     if 400 <= response.status_code < 600:
                         try:
                             response.reason = response.json()['message']
                         except:
                             pass
                     response.raise_for_status()
                     return response
                 def list(self):
                     return self._req('GET', '')
                 def get(self, id):
                     return self._req('GET', id)
                 def start(self, name='python'):
                     body = json.dumps({'name': name})
                     return self._req('POST', '', body)
                 def shutdown(self, id):
                     return self._req('DELETE', id)
                 def interrupt(self, id):
                     return self._req('POST', url_path_join(id, 'interrupt'))
                 def restart(self, id):
                     return self._req('POST', url_path_join(id, 'restart'))
             class KernelAPITest(NotebookTestBase):
                 """Test the kernels web service API"""
                 def setUp(self):
                     self.kern_api = KernelAPI(self.base_url())
                 def tearDown(self):
                     for k in self.kern_api.list().json():
                         self.kern_api.shutdown(k['id'])
                 def test__no_kernels(self):
                     """Make sure there are no kernels running at the start"""
                     kernels = self.kern_api.list().json()
                     self.assertEqual(kernels, [])
                 def test_default_kernel(self):
                     # POST request
                     r = self.kern_api._req('POST', '')
                     kern1 = r.json()
                     self.assertEqual(r.headers['location'], '/api/kernels/' + kern1['id'])
                     self.assertEqual(r.status_code, 201)
                     self.assertIsInstance(kern1, dict)
-                    self.assertEqual(r.headers['x-frame-options'], "SAMEORIGIN")
+                    self.assertEqual(r.headers['Content-Security-Policy'], (
+                                        "frame-ancestors 'self'; "
+                                        "report-uri /api/security/csp-report;"
+                    ))
                 def test_main_kernel_handler(self):
                     # POST request
                     r = self.kern_api.start()
                     kern1 = r.json()
                     self.assertEqual(r.headers['location'], '/api/kernels/' + kern1['id'])
                     self.assertEqual(r.status_code, 201)
                     self.assertIsInstance(kern1, dict)
-                    self.assertEqual(r.headers['x-frame-options'], "SAMEORIGIN")
+                    self.assertEqual(r.headers['Content-Security-Policy'], (
+                                        "frame-ancestors 'self'; "
+                                        "report-uri /api/security/csp-report;"
+                    ))
                     # GET request
                     r = self.kern_api.list()
                     self.assertEqual(r.status_code, 200)
                     assert isinstance(r.json(), list)
                     self.assertEqual(r.json()[0]['id'], kern1['id'])
                     self.assertEqual(r.json()[0]['name'], kern1['name'])
                     # create another kernel and check that they both are added to the
                     # list of kernels from a GET request
                     kern2 = self.kern_api.start().json()
                     assert isinstance(kern2, dict)
                     r = self.kern_api.list()
                     kernels = r.json()
                     self.assertEqual(r.status_code, 200)
                     assert isinstance(kernels, list)
                     self.assertEqual(len(kernels), 2)
                     # Interrupt a kernel
                     r = self.kern_api.interrupt(kern2['id'])
                     self.assertEqual(r.status_code, 204)
                     # Restart a kernel
                     r = self.kern_api.restart(kern2['id'])
                     self.assertEqual(r.headers['Location'], '/api/kernels/'+kern2['id'])
                     rekern = r.json()
                     self.assertEqual(rekern['id'], kern2['id'])
                     self.assertEqual(rekern['name'], kern2['name'])
                 def test_kernel_handler(self):
                     # GET kernel with given id
                     kid = self.kern_api.start().json()['id']
                     r = self.kern_api.get(kid)
                     kern1 = r.json()
                     self.assertEqual(r.status_code, 200)
                     assert isinstance(kern1, dict)
                     self.assertIn('id', kern1)
                     self.assertEqual(kern1['id'], kid)
                     # Request a bad kernel id and check that a JSON
                     # message is returned!
                     bad_id = '111-111-111-111-111'
                     with assert_http_error(404, 'Kernel does not exist: ' + bad_id):
                         self.kern_api.get(bad_id)
                     # DELETE kernel with id
                     r = self.kern_api.shutdown(kid)
                     self.assertEqual(r.status_code, 204)
                     kernels = self.kern_api.list().json()
                     self.assertEqual(kernels, [])
                     # Request to delete a non-existent kernel id
                     bad_id = '111-111-111-111-111'
                     with assert_http_error(404, 'Kernel does not exist: ' + bad_id):
                         self.kern_api.shutdown(bad_id)

docs/source/whatsnew/development.rst

0 +35 -9

             =====================
              Development version
             =====================
             This document describes in-flight development work.
             .. warning::
                 Please do not edit this file by hand (doing so will likely cause merge
                 conflicts for other Pull Requests). Instead, create a new file in the
                 `docs/source/whatsnew/pr` folder
             Using different kernels
             -----------------------
             .. image:: ../_images/kernel_selector_screenshot.png
                :alt: Screenshot of notebook kernel selection dropdown menu
                :align: center
             You can now choose a kernel for a notebook within the user interface, rather
             than starting up a separate notebook server for each kernel you want to use. The
             syntax highlighting adapts to match the language you're working in.
             Information about the kernel is stored in the notebook file, so when you open a
             notebook, it will automatically start the correct kernel.
             It is also easier to use the Qt console and the terminal console with other
             kernels, using the --kernel flag::
                 ipython qtconsole --kernel bash
                 ipython console --kernel bash
                 # To list available kernels
                 ipython kernelspec list
             Kernel authors should see :ref:`kernelspecs` for how to register their kernels
             with IPython so that these mechanisms work.
             Typing unicode identifiers
             --------------------------
             .. image:: /_images/unicode_completion.png
             Complex expressions can be much cleaner when written with a wider choice of
             characters. Python 3 allows unicode identifiers, and IPython 3 makes it easier
             to type those, using a feature from Julia. Type a backslash followed by a LaTeX
             style short name, such as ``\alpha``. Press tab, and it will turn into α.
             Other new features
             ------------------
             * :class:`~.TextWidget` and :class:`~.TextareaWidget` objects now include a
               ``placeholder`` attribute, for displaying placeholder text before the
               user has typed anything.
             * The :magic:`load` magic can now find the source for objects in the user namespace.
               To enable searching the namespace, use the ``-n`` option.
               .. sourcecode:: ipython
                   In [1]: %load -n my_module.some_function
             * :class:`~.DirectView` objects have a new :meth:`~.DirectView.use_cloudpickle`
               method, which works like ``view.use_dill()``, but causes the ``cloudpickle``
               module from PiCloud's `cloud`__ library to be used rather than dill or the
               builtin pickle module.
               __ https://pypi.python.org/pypi/cloud
             * Added a .ipynb exporter to nbconvert.  It can be used by passing `--to notebook`
               as a commandline argument to nbconvert.
             * New nbconvert preprocessor called :class:`~.ClearOutputPreprocessor`. This
               clears the output from IPython notebooks.
             * New preprocessor for nbconvert that executes all the code cells in a notebook.
               To run a notebook and save its output in a new notebook::
                   ipython nbconvert InputNotebook --ExecutePreprocessor.enabled=True --to notebook --output Executed
             * Consecutive stream (stdout/stderr) output is merged into a single output
               in the notebook document.
               Previously, all output messages were preserved as separate output fields in the JSON.
               Now, the same merge is applied to the stored output as the displayed output,
               improving document load time for notebooks with many small outputs.
             * ``NotebookApp.webapp_settings`` is deprecated and replaced with
               the more informatively named ``NotebookApp.tornado_settings``.
             * Using :magic:`timeit` prints warnings if there is atleast a 4x difference in timings
               between the slowest and fastest runs, since this might meant that the multiple
               runs are not independent of one another.
             * It's now possible to provide mechanisms to integrate IPython with other event
               loops, in addition to the ones we already support. This lets you run GUI code
               in IPython with an interactive prompt, and to embed the IPython
               kernel in GUI applications. See :doc:`/config/eventloops` for details. As part
               of this, the direct ``enable_*`` and ``disable_*`` functions for various GUIs
               in :mod:`IPython.lib.inputhook` have been deprecated in favour of
               :meth:`~.InputHookManager.enable_gui` and :meth:`~.InputHookManager.disable_gui`.
             * A ``ScrollManager`` was added to the notebook.  The ``ScrollManager`` controls how the notebook document is scrolled using keyboard.  Users can inherit from the ``ScrollManager`` or ``TargetScrollManager`` to customize how their notebook scrolls.  The default ``ScrollManager`` is the ``SlideScrollManager``, which tries to scroll to the nearest slide or sub-slide cell.
             * The function :func:`~IPython.html.widgets.interaction.interact_manual` has been
               added which behaves similarly to :func:`~IPython.html.widgets.interaction.interact`,
               but adds a button to explicitly run the interacted-with function, rather than
               doing it automatically for every change of the parameter widgets. This should
               be useful for long-running functions.
             * The ``%cython`` magic is now part of the Cython module. Use `%load_ext Cython` with a version of Cython >= 0.21 to have access to the magic now.
             * The Notebook application now offers integrated terminals on Unix platforms,
               intended for when it is used on a remote server. To enable these, install
               the ``terminado`` Python package.
             * Setting the default highlighting language for nbconvert with the config option
               ``NbConvertBase.default_language`` is deprecated. Nbconvert now respects
               metadata stored in the :ref:`kernel spec <kernelspecs>`.
             * IPython can now be configured systemwide, with files in :file:`/etc/ipython`
               or :file:`/usr/local/etc/ipython` on Unix systems,
               or :file:`{%PROGRAMDATA%}\\ipython` on Windows.
             .. DO NOT EDIT THIS LINE BEFORE RELEASE. FEATURE INSERTION POINT.
             Backwards incompatible changes
             ------------------------------
             * :func:`IPython.core.oinspect.getsource` call specification has changed:
               * `oname` keyword argument has been added for property source formatting
               * `is_binary` keyword argument has been dropped, passing ``True`` had
                 previously short-circuited the function to return ``None`` unconditionally
             * Removed the octavemagic extension: it is now available as ``oct2py.ipython``.
             * Creating PDFs with LaTeX no longer uses a post processor.
               Use `nbconvert --to pdf` instead of `nbconvert --to latex --post pdf`.
             * Used https://github.com/jdfreder/bootstrap2to3 to migrate the Notebook to Bootstrap 3.
               Additional changes:
               - Set `.tab-content .row` `0px;` left and right margin (bootstrap default is `-15px;`)
               - Removed `height: @btn_mini_height;` from `.list_header>div, .list_item>div` in `tree.less`
               - Set `#header` div `margin-bottom: 0px;`
               - Set `#menus` to `float: left;`
               - Set `#maintoolbar .navbar-text` to `float: none;`
               - Added no-padding convienence class.
               - Set border of #maintoolbar to 0px
             * Accessing the `container` DOM object when displaying javascript has been
               deprecated in IPython 2.0 in favor of accessing `element`. Starting with
               IPython 3.0 trying to access `container` will raise an error in browser
               javascript console.
             * ``IPython.utils.py3compat.open`` was removed: :func:`io.open` provides all
               the same functionality.
             * The NotebookManager and ``/api/notebooks`` service has been replaced by
               a more generic ContentsManager and ``/api/contents`` service,
               which supports all kinds of files.
             * The Dashboard now lists all files, not just notebooks and directories.
             * The ``--script`` hook for saving notebooks to Python scripts is removed,
               use :samp:`ipython nbconvert --to python {notebook}` instead.
             * The ``rmagic`` extension is deprecated, as it is now part of rpy2. See
               :mod:`rpy2.ipython.rmagic`.
             * :meth:`~.KernelManager.start_kernel` and :meth:`~.KernelManager.format_kernel_cmd`
               no longer accept a ``executable`` parameter. Use the kernelspec machinery instead.
             * The widget classes have been renamed from `*Widget` to `*`.  The old names are
               still functional, but are deprecated.  i.e. `IntSliderWidget` has been renamed
               to `IntSlider`.
             * The ContainerWidget was renamed to Box and no longer defaults as a flexible
               box in the web browser.  A new FlexBox widget was added, which allows you to
               use the flexible box model.
             .. DO NOT EDIT THIS LINE BEFORE RELEASE. INCOMPAT INSERTION POINT.
-            IFrame embedding
+            Content Security Policy
-            ````````````````
+            ```````````````````````
-            The IPython Notebook and its APIs by default will only be allowed to be
+            The Content Security Policy is a web standard for adding a layer of security to
-            embedded in an iframe on the same origin.
+            detect and mitigate certain classes of attacks, including Cross Site Scripting
+            (XSS) and data injection attacks. This was introduced into the notebook to
+            ensure that the IPython Notebook and its APIs (by default) can only be embedded
+            in an iframe on the same origin.
-            To override this, set ``headers[X-Frame-Options]`` to one of
+            Override ``headers['Content-Security-Policy']`` within your notebook
+            configuration to extend for alternate domains and security settings.::
-            * DENY
+                c.NotebookApp.tornado_settings = {
-            * SAMEORIGIN
+                    'headers': {
-            * ALLOW-FROM uri
+                        'Content-Security-Policy': "frame-ancestors 'self'"
+                    }
+                }
-            See `Mozilla's guide to X-Frame-Options <https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options>`_ for more examples.
+            Example policies::
+                Content-Security-Policy: default-src 'self' https://*.jupyter.org
+            Matches embeddings on any subdomain of jupyter.org, so long as they are served
+            over SSL.
+            There is a `report-uri <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives#report-uri>`_ endpoint available for logging CSP violations, located at
+            ``/api/security/csp-report``. To use it, set ``report-uri`` as part of the CSP::
+                c.NotebookApp.tornado_settings = {
+                    'headers': {
+                        'Content-Security-Policy': "frame-ancestors 'self'; report-uri /api/security/csp-report"
+                    }
+                }
+            It simply provides the CSP report as a warning in IPython's logs. The default
+            CSP sets this report-uri relative to the ``base_url`` (not shown above).
+            For a more thorough and accurate guide on Content Security Policies, check out
+            `MDN's Using Content Security Policy <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy>`_ for more examples.

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages