use outermost proxied entry when checking for browser protocol

wee care about what the browser sees, so trust the outermost entry instead of the innermost This is not secure _in general_, in that these values can be spoofed by malicious proxies, but for CORS and cookie purposes, we only care about what the browser sees, however many hops there may be. A malicious proxy in the chain here isn't a concern because what matters is the immediate hop from the _browser_, not the immediate hop from the _server_.
2025-10-10 03:23:04 +00:00 · 2022-01-07 14:03:11 +01:00
parent a2ba55756d
commit ccfee4d235
7 changed files with 119 additions and 13 deletions
--- a/jupyterhub/tests/test_api.py
+++ b/jupyterhub/tests/test_api.py
@@ -118,16 +118,39 @@ async def test_post_content_type(app, content_type, status):
        ("fake.example", {"netloc": "fake.example", "scheme": "https"}, {}, 403),
        # explicit ports, match
        ("fake.example:81", {"netloc": "fake.example:81"}, {}, 200),
-        # Test proxy defined headers taken into account by xheaders=True in
-        # https://github.com/jupyterhub/jupyterhub/blob/2.0.1/jupyterhub/app.py#L3065
+        # Test proxy protocol defined headers taken into account by utils.get_browser_protocol
        (
            "fake.example",
            {"netloc": "fake.example", "scheme": "https"},
-            # note {"X-Forwarded-Proto": "https"} does not work
            {'X-Scheme': 'https'},
            200,
        ),
+        (
+            "fake.example",
+            {"netloc": "fake.example", "scheme": "https"},
+            {'X-Forwarded-Proto': 'https'},
+            200,
+        ),
+        (
+            "fake.example",
+            {"netloc": "fake.example", "scheme": "https"},
+            {
+                'Forwarded': 'host=fake.example;proto=https,for=1.2.34;proto=http',
+                'X-Scheme': 'http',
+            },
+            200,
+        ),
+        (
+            "fake.example",
+            {"netloc": "fake.example", "scheme": "https"},
+            {
+                'Forwarded': 'host=fake.example;proto=http,for=1.2.34;proto=http',
+                'X-Scheme': 'https',
+            },
+            403,
+        ),
        ("fake.example", {"netloc": "fake.example"}, {'X-Scheme': 'https'}, 403),
+        ("fake.example", {"netloc": "fake.example"}, {'X-Scheme': 'https, http'}, 403),
    ],
 )
 async def test_cors_check(request, app, host, referer, extraheaders, status):