use outermost proxied entry when checking for browser protocol

wee care about what the browser sees, so trust the outermost entry instead of the innermost This is not secure _in general_, in that these values can be spoofed by malicious proxies, but for CORS and cookie purposes, we only care about what the browser sees, however many hops there may be. A malicious proxy in the chain here isn't a concern because what matters is the immediate hop from the _browser_, not the immediate hop from the _server_.
2025-10-13 04:53:01 +00:00 · 2022-01-07 14:03:11 +01:00
parent a2ba55756d
commit ccfee4d235
7 changed files with 119 additions and 13 deletions
--- a/jupyterhub/handlers/base.py
+++ b/jupyterhub/handlers/base.py
@@ -49,6 +49,7 @@ from ..spawner import LocalProcessSpawner
 from ..user import User
 from ..utils import AnyTimeoutError
 from ..utils import get_accepted_mimetype
+from ..utils import get_browser_protocol
 from ..utils import maybe_future
 from ..utils import url_path_join

@@ -632,12 +633,10 @@ class BaseHandler(RequestHandler):
        next_url = self.get_argument('next', default='')
        # protect against some browsers' buggy handling of backslash as slash
        next_url = next_url.replace('\\', '%5C')
-        if (next_url + '/').startswith(
-            (
-                f'{self.request.protocol}://{self.request.host}/',
-                f'//{self.request.host}/',
-            )
-        ) or (
+        proto = get_browser_protocol(self.request)
+        host = self.request.host
+
+        if (next_url + '/').startswith((f'{proto}://{host}/', f'//{host}/',)) or (
            self.subdomain_host
            and urlparse(next_url).netloc
            and ("." + urlparse(next_url).netloc).endswith(