Add xsrf exception to Tensorboard POST requests.

Expand xsrf_cookie exceptions, normally only applied to GET and HEAD
requests in the IPythonHandler, to POST requests in TensorboardHandler.

Provides support for hparams plugin, which uses POST to retrieve
experiment information but can't be trivially extended to include xsrf
information in these POST requests. Mirrors existing IPythonHandler
behavior, falling back to Referer header rather than form parameters.

Author: asford

jupyter_tensorboard/handlers.py

@@ -91,6 +91,34 @@ def post(self, name, path):
         else:
             raise web.HTTPError(404)
 
+    def check_xsrf_cookie(self):
+        """Expand xsrf check exception for POST requests.
+
+        Expand xsrf_cookie exceptions, normally only applied to GET and HEAD
+        requests, to POST requests for tensorboard api.
+
+        Provides support for hparams plugin, which uses POST to retrieve
+        experiment information but can't be trivially extended to include xsrf
+        information in these POST requests.
+
+        """
+
+        try:
+            return super(TensorboardHandler, self).check_xsrf_cookie()
+        except web.HTTPError:
+            if self.request.method in {"GET", "POST", "HEAD"}:
+                # Consider Referer a sufficient cross-origin check for GET requests
+                # Extended to post for Tensorboard API
+                if not self.check_referer():
+                    referer = self.request.headers.get("Referer")
+                    if referer:
+                        msg = "Blocking Cross Origin request from {}.".format(referer)
+                    else:
+                        msg = "Blocking request from unknown origin"
+                    raise web.HTTPError(403, msg)
+            else:
+                raise
+
 
 class TensorboardErrorHandler(IPythonHandler):
     pass