From efdbef117f17ecdf1b8bbae00aabdcef141d6f02 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Tue, 13 Dec 2016 17:45:11 +0100
Subject: [PATCH] get xsrf from cookie, not body data

so that it can't be skimmed with a GET of the page
---
 notebook/static/base/js/utils.js | 8 +++++++-
 notebook/templates/page.html     | 1 -
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/notebook/static/base/js/utils.js b/notebook/static/base/js/utils.js
index b31a67c8b..fd8fe454c 100644
--- a/notebook/static/base/js/utils.js
+++ b/notebook/static/base/js/utils.js
@@ -681,6 +681,12 @@ define([
         settings = _add_auth_header(settings);
         return $.ajax(url, settings);
     };
+    
+    var _get_cookie = function (name) {
+        // from tornado docs: http://www.tornadoweb.org/en/stable/guide/security.html
+        var r = document.cookie.match("\\b" + name + "=([^;]*)\\b");
+        return r ? r[1] : undefined;
+    }
 
     var _add_auth_header = function (settings) {
         /**
@@ -691,7 +697,7 @@ define([
             settings.headers = {};
         }
         if (!settings.headers.Authorization) {
-            var xsrf_token = get_body_data('xsrfToken');
+            var xsrf_token = _get_cookie('_xsrf');
             if (xsrf_token) {
                 settings.headers['X-XSRFToken'] = xsrf_token;
             }
diff --git a/notebook/templates/page.html b/notebook/templates/page.html
index 4107c8af4..c39dea26b 100644
--- a/notebook/templates/page.html
+++ b/notebook/templates/page.html
@@ -115,7 +115,6 @@
 
 <body class="{% block bodyclasses %}{% endblock %}"
  {% block params %}
-  data-xsrf-token="{{xsrf_token | urlencode}}"
   {% if logged_in and token %}
     data-jupyter-api-token="{{token | urlencode}}"
   {% endif %}