From 067c3993f26ea9544cdd8c1a30f043813896a42c Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Fri, 4 Dec 2020 12:05:46 +0100
Subject: [PATCH] handle allow_origin='*' in check_referrer

allow_origin can be the wildcard '*' to allow any host

check_referer should match check_origin
---
 notebook/base/handlers.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
index 74527d6450..216480291d 100755
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@@ -404,6 +404,10 @@ def check_referer(self):
         Used on GET for api endpoints and /files/
         to block cross-site inclusion (XSSI).
         """
+
+        if self.allow_origin == "*" or self.skip_check_origin():
+            return True
+
         host = self.request.headers.get("Host")
         referer = self.request.headers.get("Referer")