allow disabling xsrf check

for deployments that want to grant unfettered access, even from anonymous API requests

Author: minrk

notebook/base/handlers.py

@@ -324,7 +324,7 @@ def check_origin(self, origin_to_satisfy_tornado=""):
 
     def check_xsrf_cookie(self):
         """Bypass xsrf checks when token-authenticated"""
-        if self.token_authenticated:
+        if self.token_authenticated or self.settings.get('disable_check_xsrf', False):
             # Token-authenticated requests do not need additional XSRF-check
             # Servers without authentication are vulnerable to XSRF
             return

notebook/notebookapp.py

@@ -193,6 +193,7 @@ def init_settings(self, ipython_app, kernel_manager, contents_manager,
             logout_handler_class=ipython_app.logout_handler_class,
             password=ipython_app.password,
             xsrf_cookies=True,
+            disable_check_xsrf=ipython_app.disable_check_xsrf,
 
             # managers
             kernel_manager=kernel_manager,
@@ -560,6 +561,22 @@ def _token_changed(self, name, old, new):
                       """
     )
 
+    disable_check_xsrf = Bool(False, config=True,
+        help="""Disable cross-site-request-forgery protection
+
+        Jupyter notebook 4.3.1 introduces protection from cross-site request forgeries,
+        requiring API requests to either:
+
+        - originate from the (validated with XSRF cookie and token), or
+        - authenticate with a token
+
+        Some anonymous compute resources still desire the ability to run code,
+        completely without authentication.
+        These services can disable all authentication and security checks,
+        with the full knowledge of what that implies.
+        """
+    )
+
     open_browser = Bool(True, config=True,
                         help="""Whether to open in a browser after starting.
                         The specific browser used is platform dependent and