get xsrf from cookie, not body data

so that it can't be skimmed with a GET of the page

notebook/static/base/js/utils.js

@@ -757,6 +757,12 @@ define([
         settings = _add_auth_header(settings);
         return $.ajax(url, settings);
     };
+    
+    var _get_cookie = function (name) {
+        // from tornado docs: http://www.tornadoweb.org/en/stable/guide/security.html
+        var r = document.cookie.match("\\b" + name + "=([^;]*)\\b");
+        return r ? r[1] : undefined;
+    }
 
     var _add_auth_header = function (settings) {
         /**
@@ -767,7 +773,7 @@ define([
             settings.headers = {};
         }
         if (!settings.headers.Authorization) {
-            var xsrf_token = get_body_data('xsrfToken');
+            var xsrf_token = _get_cookie('_xsrf');
             if (xsrf_token) {
                 settings.headers['X-XSRFToken'] = xsrf_token;
             }

notebook/templates/page.html

@@ -199,7 +199,6 @@
 
 <body class="{% block bodyclasses %}{% endblock %}"
  {% block params %}
-  data-xsrf-token="{{xsrf_token | urlencode}}"
   {% if logged_in and token %}
     data-jupyter-api-token="{{token | urlencode}}"
   {% endif %}