get xsrf from cookie, not body data

so that it can't be skimmed with a GET of the page
9 years ago · efdbef117f
parent c5bb329bf8
commit efdbef117f
2 changed files with 7 additions and 2 deletions
--- a/notebook/static/base/js/utils.js
+++ b/notebook/static/base/js/utils.js
@ -681,6 +681,12 @@ define([
        settings = _add_auth_header(settings);
        return $.ajax(url, settings);
    };
+    
+    var _get_cookie = function (name) {
+        // from tornado docs: http://www.tornadoweb.org/en/stable/guide/security.html
+        var r = document.cookie.match("\\b" + name + "=([^;]*)\\b");
+        return r ? r[1] : undefined;
+    }

    var _add_auth_header = function (settings) {
        /**
@ -691,7 +697,7 @@ define([
            settings.headers = {};
        }
        if (!settings.headers.Authorization) {
-            var xsrf_token = get_body_data('xsrfToken');
+            var xsrf_token = _get_cookie('_xsrf');
            if (xsrf_token) {
                settings.headers['X-XSRFToken'] = xsrf_token;
            }
--- a/notebook/templates/page.html
+++ b/notebook/templates/page.html
@ -115,7 +115,6 @@

 <body class="{% block bodyclasses %}{% endblock %}"
 {% block params %}
-  data-xsrf-token="{{xsrf_token | urlencode}}"
  {% if logged_in and token %}
    data-jupyter-api-token="{{token | urlencode}}"
  {% endif %}