Streamlit removes _xsrf cookie even with 'server.enableXsrfProtection=False'
See original GitHub issueSummary
Our primary use case for streamlit is to run ad-hoc scripts from JupyterHub container. In order to access streamlit tool we’re using jupyter-server-proxy. I.e. streamlit app accessed through URL like “{jupyterhub-host-port}/{jupyter-url}/proxy/8501/”
We configure streamlit to disable xsrf and cors protection.
Streamlit is removing _xsrf
cookie in its JS code, which breaks JupyterLab functionality.
I believe that offending line is here: https://github.com/streamlit/streamlit/blob/develop/frontend/src/App.tsx#L274
It would be great if streamlit would not touch _xsrf cookie if it was not configured to use it.
Issue Analytics
- State:
- Created 3 years ago
- Comments:15 (4 by maintainers)
Top Results From Across the Web
Cookies support in Streamlit!
You can preserve data between sessions, update, get, and delete browser cookies. Newly added cookies with this module is strictly same-site, ...
Read more >How to disable XsrfProtection #streamlit - Stack Overflow
Per the error, server.enableCORS=false is being overridden because server.enableXsrfProtection is set to true . The solution is to set ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
https://user-images.githubusercontent.com/71321/103665932-0d75ca00-4f85-11eb-8c65-f1a67e7ac53f.mp4
Please find screencast attached
Same here, using streamlit via jupyterlab/hub. There are really several issues here
/
on JS side, ignoring--server.baseUrlPath=/some/other/path/
_xsrf
cookie is cleared in on JS side, ignoring--server.enableXsrfProtection=false
optionSameSite=None;Secure
options, needed in modern browsers when accessing over https.Basically scenario where
streamlit
app is served from behind HTTP reverse proxy under some prefix path over TLS connection is not quite right.Possible Fixes
In the section below
https://github.com/streamlit/streamlit/blob/f739c18c94a3235ba565d05f8dfdee70bc6dba10/frontend/src/App.tsx#L377-L382
setCookie
call needs either a guard likeif ( options.enableXsrfProtection ){ ... }
*, or just not happen on JS side at all.in
setCookie
implementation:https://github.com/streamlit/streamlit/blob/f739c18c94a3235ba565d05f8dfdee70bc6dba10/frontend/src/lib/utils.ts#L160-L170
path=
should be set not to/
but tooptions.baseUrlPath
*, and also it should allow specifyingSameSite=
andSecure
options to make things work over https.Example of warning produced in Firefox when
setCookie
is called:*
options
object is not a real thing that exists currently as far as I can tell, think of it as JS view of Python app configuration, specifically.baseUrlPath
and.enableXsrfProtection
parts of the config and also.cookieOptions
would be nice to have.