XSRF cookie path should be set to base_url instead of '/'

[ykazakov]

Describe the bug

When opening notebook in a browser, the _xsrf cookie is installed at the root path '/', which is also accessible from other services running on the same host. This can cause errors, for example when jupyter lab or other notebooks run on the same host.
See: jupyterhub/jupyterhub#3767

Instead, the cookie should be set for base_url, similarly as done for jupyter server by adding these lines to /notebook/notebookapp.py:

if base_url and "xsrf_cookie_kwargs" not in settings:
    # default: set xsrf cookie on base_url
    settings["xsrf_cookie_kwargs"] = {"path": base_url}

I can submit a PR if there is a chance that its going to be merged. ;-)

[minrk]

FWIW, this is already fixed in jupyter-server, so the same patch can be applied on this repo: jupyter-server/jupyter_server#612