-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TB2.4+ POST to scalar_multirun omits XSRF header, blocking use of TensorBoard under JupyterLab #4685
Comments
@wchargin , per our discussion earlier today. Thanks! |
Even with this change, there is a missing XSRF (cross-site request forgery) header issue with this portion of TensorBoard 2.4 functionality; see tensorflow/tensorboard#4685 . Jupyter can be configured to disable XSRF checking as a short-term workaround, but this is less than desirable.
Even with this change, there is a missing XSRF (cross-site request forgery) header issue with this portion of TensorBoard 2.4 functionality; see tensorflow/tensorboard#4685 . Jupyter can be configured to disable XSRF checking as a short-term workaround, but this is less than desirable. Signed-off-by: Cliff Woolley <jwoolley@nvidia.com>
Even with this change, there is a missing XSRF (cross-site request forgery) header issue with this portion of TensorBoard 2.4 functionality; see tensorflow/tensorboard#4685 . Jupyter can be configured to disable XSRF checking as a short-term workaround, but this is less than desirable. Signed-off-by: Cliff Woolley <jwoolley@nvidia.com>
jupyterlab/jupyterlab#1435 (comment) might be helpful?
...which refers to this snippet of code: https://github.com/jupyter/notebook/blob/4.x/notebook/static/base/js/utils.js#L699-L704
|
So there seem to be at least two things happening:
|
@stephanwlee FYI since you appear to be working on some related things recently. |
I realized that the reason for this one is just that TB isn't using the Angular JS client for those particular POSTS; it's using calls to XHR in tensorboard/components/tf_backend/requestManager.ts. It seems we can insert something minimal here to mimic the Angular behavior; perhaps something like this?
|
See also tensorflow/tensorboard#4685 Signed-off-by: Cliff Woolley <jwoolley@nvidia.com>
Hi Cliff, thanks for the additional details! We've discussed this a bit and as I think you've determined, this isn't so much a specific omission / bug in TensorBoard as it just is that we don't do any XSRF token propagation at all, because TensorBoard itself doesn't have state-changing endpoints and therefore doesn't intrinsically require XSRF protection. There isn't a single standard way to do XSRF token propagation (and as you can see we also don't use the Angular request manager), so it doesn't really make sense in our code to special-case specific cookie names and headers that are used by Angular and/or Tornado. However I noticed you've already figured out that you can make the necessary changes within Jupyter TensorBoard's request handlers to conditionally disable Tornado's XSRF token checking: cliffwoolley/jupyter_tensorboard@dfa2a17 Rather than the version-gating on TB <= 2.4, our recommendation is just to go with this as the solution, since it keeps the logic that's specific to the Jupyter/Tornado XSRF requirements contained to where it's necessary. (You shouldn't need the XSRF header translation logic, so it could look more like the original upstream PR.) If you'd like to be stricter about which POST requests you exempt from XSRF checking, you could always check the request path and limit the exemption to |
Summary: All POST, PUT, and DELETE requests sent through `TBHttpClient` now include a header `X-XSRF-Protected: 1`. The name and value are constant; this is not a XSRF token. Instead, servers can determine from the presence of this non-standard header that it was sent through JavaScript (rather than a form) and thus is subject to the same-origin policy. This is currently intended for Google-internal surfaces, and is unrelated to #4685. Test Plan: Unit tests included. Test sync passes: <http://cl/358305731>. wchargin-branch: http-xsrf-header wchargin-source: ce163141b39d3fa1e3363ab8d4790765c35968b2
Summary: All POST, PUT, and DELETE requests sent through `TBHttpClient` now include a header `X-XSRF-Protected: 1`. The name and value are constant; this is not a XSRF token. Instead, servers can determine from the presence of this non-standard header that it was sent through JavaScript (rather than a form) and thus is subject to the same-origin policy. This is currently intended for Google-internal surfaces, and is unrelated to #4685. Test Plan: Unit tests included. Test sync passes: <http://cl/358305731>. wchargin-branch: http-xsrf-header
Extends XSRF header exceptions to POST requests per discussion in tensorflow/tensorboard#4685 (comment) Signed-off-by: Cliff Woolley <jwoolley@nvidia.com>
OK @nfelt , thanks for the feedback. Done in cliffwoolley/jupyter_tensorboard@ffa7e26 and closing. |
Even with this change, there is a missing XSRF (cross-site request forgery) header issue with this portion of TensorBoard 2.4 functionality; see tensorflow/tensorboard#4685 . Jupyter can be configured to disable XSRF checking as a short-term workaround, but this is less than desirable. Signed-off-by: Cliff Woolley <jwoolley@nvidia.com>
Extends XSRF header exceptions to POST requests per discussion in tensorflow/tensorboard#4685 (comment) Signed-off-by: Cliff Woolley <jwoolley@nvidia.com>
Environment information (required)
Diagnostics
Diagnostics output
Issue description
When loading TensorBoard through Jupyter-TensorBoard + JupyterLab-Tensorboard , we find that with TB2.4 and later (since #4050 ), the Scalar card doesn't ever finish loading. What's happening is that the new
scalars_multirun
POST requests are getting rejected by the JupyterLab web service before routing them to TB, because they are missing the correct Cross-Site Request Forgery (XSRF) header, which should have been set by JupyterLab and passed back to it by TensorBoard yet wasn't for some reason.As a workaround, in a vaguely similar way to #4191, if I patch TensorBoard to force use of the older Get path for Scalars at https://github.com/tensorflow/tensorboard/blob/master/tensorboard/plugins/scalar/tf_scalar_dashboard/tf-scalar-card.ts#L298 , then TensorBoard 2.4 and JupyterLab can work well again together.
How can we get this header passed through the POST request for JupyterLab to accept
scalars_multirun
requests?The text was updated successfully, but these errors were encountered: