@interact's when embedding sage cell in a static website
37 views
Skip to first unread message
William Stein
Jan 29, 2020, 2:21:10 PM1/29/20
to sage-cell
Hi Andrey (and the sage-cell list),
I was just demoing the Sage cell server, and hit a confusing issue:
If you use an interact at https://sagecell.sagemath.org/ like this
then it works fine:
@interact
def f(n=2020):
print(factor(n))
But if you embed an interact in a "random" static site via the simple
directions, then it is completely broken (email will probably mangle
this, but you get the point, and I also attached a screenshot). By
"broken" I mean that there is a spinner forever and no output appears:
<script src="https://sagecell.sagemath.org/static/embedded_sagecell.js"></script>
<script>sagecell.makeSagecell({"inputLocation": ".sage"});</script>
<div class="sage">
<script type="text/x-sage">
@interact
def f(n=2020):
print(factor(n))
</script>
</div>
The interacts at https://wiki.sagemath.org/interact *do* work though.
If you expand a sage cell at
http://linear.ups.edu/html/section-SSLE.html then try to put an
interact in it, that also does NOT work.
Of course, actually looking at the console log reveals the problem:
Access to XMLHttpRequest at
'https://sagecell.sagemath.org/kernel?CellSessionID=7dce1ecb762c41868c96f9af39df6ea8&timeout=0&accepted_tos=true'
from origin 'https://cocalc.com' has been blocked by CORS policy:
Request header field x-xsrftoken is not allowed by
Access-Control-Allow-Headers in preflight response.
So to get widgets to work with the sagecell server, I have to
configure the site hosting my static html to allow certain types of
cross domain access that is denied by default. That's all fine and
good, but...
(1) is there anything documented anywhere about issues with CORS +
sagecell server? I googled and could find absolutely nothing at all,
and no issues in the sagecell issue tracker.
(2) Wouldn't it be nice if instead of the output just spinning forever
and things being broken, the client sagecell could say "sorry, widgets
are not available due to the CORS policy of the hosting website.
Please see this link for more details...." or something like that?
Just curious if this has come up before, or should I create a ticket at
https://github.com/sagemath/sagecell/issues
?
--
William (http://wstein.org)
I was just demoing the Sage cell server, and hit a confusing issue:
If you use an interact at https://sagecell.sagemath.org/ like this
then it works fine:
@interact
def f(n=2020):
print(factor(n))
But if you embed an interact in a "random" static site via the simple
directions, then it is completely broken (email will probably mangle
this, but you get the point, and I also attached a screenshot). By
"broken" I mean that there is a spinner forever and no output appears:
<script src="https://sagecell.sagemath.org/static/embedded_sagecell.js"></script>
<script>sagecell.makeSagecell({"inputLocation": ".sage"});</script>
<div class="sage">
<script type="text/x-sage">
@interact
def f(n=2020):
print(factor(n))
</script>
</div>
The interacts at https://wiki.sagemath.org/interact *do* work though.
If you expand a sage cell at
http://linear.ups.edu/html/section-SSLE.html then try to put an
interact in it, that also does NOT work.
Of course, actually looking at the console log reveals the problem:
Access to XMLHttpRequest at
'https://sagecell.sagemath.org/kernel?CellSessionID=7dce1ecb762c41868c96f9af39df6ea8&timeout=0&accepted_tos=true'
from origin 'https://cocalc.com' has been blocked by CORS policy:
Request header field x-xsrftoken is not allowed by
Access-Control-Allow-Headers in preflight response.
So to get widgets to work with the sagecell server, I have to
configure the site hosting my static html to allow certain types of
cross domain access that is denied by default. That's all fine and
good, but...
(1) is there anything documented anywhere about issues with CORS +
sagecell server? I googled and could find absolutely nothing at all,
and no issues in the sagecell issue tracker.
(2) Wouldn't it be nice if instead of the output just spinning forever
and things being broken, the client sagecell could say "sorry, widgets
are not available due to the CORS policy of the hosting website.
Please see this link for more details...." or something like that?
Just curious if this has come up before, or should I create a ticket at
https://github.com/sagemath/sagecell/issues
?
--
William (http://wstein.org)
William Stein
Jan 29, 2020, 2:28:02 PM1/29/20
to sage-cell
Hi,
I made a mistake with this message in that widgets/interact is not
relevant. I was confused because the SageCell server just
happened to randomly stop working (or be slow) **coincidentally**
exactly when I was trying widgets. Of course nothing at
all works without CORS setup properly, and when it is, then normal
output and widgets work equally well.
That said, I still think a better error message and documentation
related to CORS rather than silently failing might be better.
-- William
--
William (http://wstein.org)
I made a mistake with this message in that widgets/interact is not
relevant. I was confused because the SageCell server just
happened to randomly stop working (or be slow) **coincidentally**
exactly when I was trying widgets. Of course nothing at
all works without CORS setup properly, and when it is, then normal
output and widgets work equally well.
That said, I still think a better error message and documentation
related to CORS rather than silently failing might be better.
-- William
William (http://wstein.org)
Andrey Novoseltsev
Jan 29, 2020, 4:12:11 PM1/29/20
to sage-cell
Hi William,
I've had a few issues with CORS in the past, including a bug in sockjs-tornado that I fixed, but the problem was always on our side, i.e. something had to be done in SageMathCell code to make things work. I am not aware of any specific CORS configuration that has to be done on the client side and it seems from common sense that there should not be any. Is there a way to make things work in your situation by doing server-side changes?
As for error messages - we never intend to fail silently, so when it does happen there is definitely a possibility to improve some code.
Thank you!
Andrey
William Stein
Jan 29, 2020, 4:24:50 PM1/29/20
to Andrey Novoseltsev, sage-cell
On Wed, Jan 29, 2020 at 1:12 PM Andrey Novoseltsev <novo...@gmail.com> wrote:
>
> Hi William,
>
> I've had a few issues with CORS in the past, including a bug in sockjs-tornado that I fixed, but the problem was always on our side, i.e. something had to be done in SageMathCell code to make things work. I am not aware of any specific CORS configuration that has to be done on the client side and it seems from common sense that there should not be any. Is there a way to make things work in your situation by doing server-side changes?
I'm not sure. If you want to replicate the problem:
>
> Hi William,
>
> I've had a few issues with CORS in the past, including a bug in sockjs-tornado that I fixed, but the problem was always on our side, i.e. something had to be done in SageMathCell code to make things work. I am not aware of any specific CORS configuration that has to be done on the client side and it seems from common sense that there should not be any. Is there a way to make things work in your situation by doing server-side changes?
1. Make a file foo.html in a CoCalc project that embeds a cell.
2. In the file listing, click the checkbox next to the file, then the
download button, and click on the raw link that appears.
3. Observe an error in your console.log.
NOTE: I just investigated further and I see the CORS error when using
Google Chrome Version 79.0.3945.130, but NOT when using Firefox
72.0.1. So this could easily be one of those problems that only
happens due to Google Chrome turning the security screws.
> As for error messages - we never intend to fail silently, so when it does happen there is definitely a possibility to improve some code.
>
> Thank you!
> Andrey
>
> You received this message because you are subscribed to the Google Groups "sage-cell" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to sage-cell+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/sage-cell/c30eee2c-f6fa-481a-a424-346c2cb17203%40googlegroups.com.
--
William (http://wstein.org)
kcrisman
Jan 30, 2020, 8:14:29 AM1/30/20
to sage-cell
NOTE: I just investigated further and I see the CORS error when using
Google Chrome Version 79.0.3945.130, but NOT when using Firefox
72.0.1. So this could easily be one of those problems that only
happens due to Google Chrome turning the security screws.
Although I no longer recall the full details, I affirm that this is probably part or all of the issue. I seem to remember something very similar when we used CoCalc to host some training for PreTeXt (and hence Sage cells), and certainly viewing local files in some browsers causes a lot of stuff to not appear (especially knows) by default, except in FF under some disabled settings. It might be worth having some recommendations to users somewhere about that in the sage cell documentation, if it isn't there already.
William Stein
Jan 30, 2020, 2:43:27 PM1/30/20
to kcrisman, sage-cell
something that we (at CoCalc) had configured to increase the security
of our site, since we want to make it very difficult for third-party
Javascript to steal information about a user's account.
I wonder if there could also be an iframe version of the Sage Cell
server embeds, which provides better security and CSS isolation? It
would make a lot of sense of each sage cell to run in its own iframe.
E.g., colab has every single cell in a jupyter notebook run in its own
iframe...
--
William (http://wstein.org)
Reply all
Reply to author
Forward
0 new messages