question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Streamlit removes _xsrf cookie even with 'server.enableXsrfProtection=False'

See original GitHub issue

Summary

Our primary use case for streamlit is to run ad-hoc scripts from JupyterHub container. In order to access streamlit tool we’re using jupyter-server-proxy. I.e. streamlit app accessed through URL like “{jupyterhub-host-port}/{jupyter-url}/proxy/8501/”

We configure streamlit to disable xsrf and cors protection.

Streamlit is removing _xsrf cookie in its JS code, which breaks JupyterLab functionality.

I believe that offending line is here: https://github.com/streamlit/streamlit/blob/develop/frontend/src/App.tsx#L274

It would be great if streamlit would not touch _xsrf cookie if it was not configured to use it.

Issue Analytics

  • State:open
  • Created 3 years ago
  • Comments:15 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
Kirill888commented, Nov 21, 2022

Same here, using streamlit via jupyterlab/hub. There are really several issues here

  1. Cookies are set at path / on JS side, ignoring --server.baseUrlPath=/some/other/path/
  2. _xsrf cookie is cleared in on JS side, ignoring --server.enableXsrfProtection=false option
  3. Cookies set on JS side lack SameSite=None;Secure options, needed in modern browsers when accessing over https.

Basically scenario where streamlit app is served from behind HTTP reverse proxy under some prefix path over TLS connection is not quite right.

Possible Fixes

In the section below

https://github.com/streamlit/streamlit/blob/f739c18c94a3235ba565d05f8dfdee70bc6dba10/frontend/src/App.tsx#L377-L382

setCookie call needs either a guard like if ( options.enableXsrfProtection ){ ... }*, or just not happen on JS side at all.

in setCookie implementation:

https://github.com/streamlit/streamlit/blob/f739c18c94a3235ba565d05f8dfdee70bc6dba10/frontend/src/lib/utils.ts#L160-L170

path= should be set not to / but to options.baseUrlPath*, and also it should allow specifying SameSite= and Secure options to make things work over https.

Example of warning produced in Firefox when setCookie is called:

Cookie “_xsrf” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite main.951e143b.chunk.js:1:649272

* options object is not a real thing that exists currently as far as I can tell, think of it as JS view of Python app configuration, specifically .baseUrlPath and .enableXsrfProtection parts of the config and also .cookieOptions would be nice to have.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Cookies support in Streamlit!
You can preserve data between sessions, update, get, and delete browser cookies. Newly added cookies with this module is strictly same-site, ...
Read more >
How to disable XsrfProtection #streamlit - Stack Overflow
Per the error, server.enableCORS=false is being overridden because server.enableXsrfProtection is set to true . The solution is to set ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found