connect-src 'none'

[alshan]

Since recently my notebook fails to render at nbviewer with the following error:

Refused to connect to 'URL' because it violates the following Content Security Policy directive: "connect-src 'none'".

Link: https://nbviewer.jupyter.org/github/JetBrains/lets-plot/blob/master/docs/examples/jupyter-notebooks/map_basemap_gallery.ipynb

AFAIU connect-src 'none' CSP blocks loading resources from any source.

Is this your new security policy?

Expected behavior:

https://www.kaggle.com/alshan/the-gallery-of-basemaps

[parente]

connect-src used to be set to * in the old, private nbviewer-deploy repo that handled deployment of nbviewer.org on Rackspace. (https://github.com/jupyter/nbviewer-deploy/blob/master/tasks.py#L213) I see @minrk pulled that configuration forward into that new, nbviewer.org-deploy repo (https://github.com/jupyter/nbviewer.org-deploy/blob/master/config/nbviewer.yaml#L12) when switching the hosting to OVH in back in March (#906).

My best guess is that the config must not be applied correctly by helm at deploy time (https://github.com/jupyter/nbviewer/blob/master/helm-chart/nbviewer/templates/deployment.yaml#L62). I don't have access to the OVH account to check if this is the case or not. Perhaps @minrk does and can have a look when he has time.

[alshan]

@parente Thank you, I hope this wont last.

[dbuezas]

I'm facing the same issue here https://github.com/yunabe/tslab-examples/issues/2

Here's a duplicate of this one https://github.com/jupyter/nbviewer/issues/964