Hydrogen: Remote Kernels: "'_xsrf' argument missing from POST" when token is empty string

Edit: Setting c.NotebookApp.token to a non-empty string also solves the problem for me, and is safer. I don't recommend enabling c.NotebookApp.disable_check_xsrf

This can be solved by changing #c.NotebookApp.disable_check_xsrf = False to c.NotebookApp.disable_check_xsrf = True in jupyter_notebook_config.py.

Well, I'm guessing the _xsrf check is there for a reason?

Yes, if you have neither xsrf tokens nor a form of authentication (e.g. tokens or passwords), it becomes very easy for malicious websites to secretly issue requests to your notebook server.

I think it's unlikely that hydrogen will support XSRF functionality, because hydrogen isn't a fully-featured web browser.

Fortunately Hydrogen's authentication story has gotten much better lately, and I don't think XSRF is required for authenticated requests. You can specify a fixed token in the gateway config, or leave out the "token" field from the config and enter one in manually each time you connect to the gateway. You can even copy an authentication cookie from your browser (useful if someone else is administering your notebook server and you can't request a token from it).

I am facing a similar issue with Jupyter notebook where suddenly I get Autosave failed with '_xsrf' argument missing from the post. This is so frustrating as I have a lot of unsaved changes.

Same story here @acerock6
I'm simply running it on my laptop.
I have no clue how to save my notebook now as it always fails!

[W 18:23:22.758 NotebookApp] 403 PUT /api/contents/BSolve%20challenge.ipynb (::1): '_xsrf' argument missing from POST
[W 18:23:22.758 NotebookApp] '_xsrf' argument missing from POST
[W 18:23:22.774 NotebookApp] 403 PUT /api/contents/BSolve%20challenge.ipynb (::1) 31.24ms referer=http://localhost:8888/notebooks/BSolve%20challenge.ipynb
[W 18:24:33.094 NotebookApp] 403 PUT /api/contents/BSolve%20challenge.ipynb (::1): '_xsrf' argument missing from POST
[W 18:24:33.094 NotebookApp] '_xsrf' argument missing from POST
[W 18:24:33.094 NotebookApp] 403 PUT /api/contents/BSolve%20challenge.ipynb (::1) 15.22ms referer=http://localhost:8888/notebooks/BSolve%20challenge.ipynb
[W 18:24:45.716 NotebookApp] 403 PUT /api/contents/BSolve%20challenge.ipynb (::1): '_xsrf' argument missing from POST
[W 18:24:45.716 NotebookApp] '_xsrf' argument missing from POST
[W 18:24:45.716 NotebookApp] 403 PUT /api/contents/BSolve%20challenge.ipynb (::1) 18.63ms referer=http://localhost:8888/notebooks/BSolve%20challenge.ipynb
[W 18:25:23.165 NotebookApp] 403 PUT /api/contents/BSolve%20challenge.ipynb (::1): '_xsrf' argument missing from POST
[W 18:25:23.165 NotebookApp] '_xsrf' argument missing from POST
[W 18:25:23.165 NotebookApp] 403 PUT /api/contents/BSolve%20challenge.ipynb (::1) 15.58ms referer=http://localhost:8888/notebooks/BSolve%20challenge.ipynb

Edit

suddenly after couple of minutes, jupyter saved my notebook 😆

For some reason, if I open another notebook in the same kernel, this error goes away and I'm allowed to save...

Hi,
Even I faced the same issue.
Solution: Try downloading your file (this will save the work), and you will be redirected to password page of jupyter notebook where the token is required to download the file which can be found on cmd localhost section. After this, you will be able to save the notebook again and your work will be downloaded.

Hi,
I also encountered this issue, the solution was to refresh the localhost page, which then will ask you for a password or token to log in. Follow the instructions on the screen to get the access back to your notebook.

Changing < #c.NotebookApp.disable_check_xsrf = False > to < c.NotebookApp.disable_check_xsrf = True > in jupyter_notebook_config.py works! It's maybe not an optimal solution but I have had enough with Jupyter Notebook oddities!

I had the error after I accidentally deleted my browsers history after about 3 weeks since it was slowing the browser. It could be the same case

Prem
I'm glad you mentioned the browser history. I started having the same error, and after reading your comment, I remembered that I had cleared the browser history earlier in the day.

I was able to copy the code from jupyter to my pc, so it wasn't a big issue.

@jforrest888 No problem. Glad it helped. Thanks!

hey all. I've run into this on and off with my students. i'd like to understand what is causing this issue. If the notebook is lanched via a server that contains the token authentication, why would it "lose" that connection . what is the trigger for the issue?

It seems I'm in the wrong place. My solution has been totally ignored ...

It seems I'm in the wrong place. My solution has been totally ignored ...

Maybe because it's the same solution as posted by @kylebarron last year and deemed as not optimal as it opens security vulnerabilities.

For some reason, if I open another notebook in the same kernel, this error goes away and I'm allowed to save...

This worked for me as well. seems to re-establish a good connection to the server.

I was using chrome and allowing pop-ups made it work again.

I had this issue with NoJS addon. Just add permission or turn it off. This solves problems with JS-block addons.

Hi,
Even I faced the same issue.
Solution: Try downloading your file (this will save the work), and you will be redirected to password page of jupyter notebook where the token is required to download the file which can be found on cmd localhost section. After this, you will be able to save the notebook again and your work will be downloaded.

Hi,
I also encountered this issue, the solution was to refresh the localhost page, which then will ask you for a password or token to log in. Follow the instructions on the screen to get the access back to your notebook.

I had hard time solving. Your solution worked like a charm !

Hi,
Even I faced the same issue.
Solution: Try downloading your file (this will save the work), and you will be redirected to password page of jupyter notebook where the token is required to download the file which can be found on cmd localhost section. After this, you will be able to save the notebook again and your work will be downloaded.

Hi,
I also encountered this issue, the solution was to refresh the localhost page, which then will ask you for a password or token to log in. Follow the instructions on the screen to get the access back to your notebook.

I had this _xsrf issue probably because I put my computer on sleep and did not use it for a few days
(Since I was unwell.) Refreshing the http://localhost:8888/tree/ tab in my browser fixed the issue.

Hi,
I also faced the same issue, sometimes.
In my case, I believe it happens when the browser is updated.

Hi,
I also encountered this issue, the solution was to refresh the localhost page, which then will ask you for a password or token to log in. Follow the instructions on the screen to get the access back to your notebook.

This answer does not make it clear whether the notebook was saved during the refresh. Usually Refresh causes content to be lost.

Hi,
Even I faced the same issue.
Solution: Try downloading your file (this will save the work), and you will be redirected to password page of jupyter notebook where the token is required to download the file which can be found on cmd localhost section. After this, you will be able to save the notebook again and your work will be downloaded.

Hi,
I also encountered this issue, the solution was to refresh the localhost page, which then will ask you for a password or token to log in. Follow the instructions on the screen to get the access back to your notebook.

I had this _xsrf issue probably because I put my computer on sleep and did not use it for a few days
(Since I was unwell.) Refreshing the http://localhost:8888/tree/ tab in my browser fixed the issue.

This solution sounds better because it gets the Jupyter Server up to date and then save should work. I'll try this next.

In case if occurs again... try to interrupt the kernel and restart the kernel again.
This may occur due to some RTOS issue.

For some reason, if I open another notebook in the same kernel, this error goes away and I'm allowed to save...

simply kernel->reconnect works for me.

Once check time. Because of wrong date and time you are facing that issue. I faced same issue because of time. I simply changed my time to current then It's working fine!

Thanks!

no need to open another notebook,just close cmd terminal of jupyter ,but dont close the file from web browser ,after restarting the jupyter click on reconnect in web browser file

Hi,
I also encountered this issue, the solution was to refresh the localhost page, which then will ask you for a password or token to log in. Follow the instructions on the screen to get the access back to your notebook.

I used the safer alternative of duplicating the tab. It saved the file and seemed much less risks than reloading it.

Happened with me too.
Press enter on the jupyter kernel and then refresh local_host as well as your file.
Might work

Edit: Setting c.NotebookApp.token to a non-empty string also solves the problem for me, and is safer. I don't recommend enabling c.NotebookApp.disable_check_xsrf

This can be solved by changing #c.NotebookApp.disable_check_xsrf = False to c.NotebookApp.disable_check_xsrf = True in jupyter_notebook_config.py.

I was also facing same issue but refresh or opening in different browser or re-installing anaconda didn't work. I have added c.NotebookApp.disable_check_xsrf = False in my jupyter_notebook_config.py file and opened in a different browser which was working and my default chrome was still having same issue. Earlier before adding this property I was having issues even opening in different browsers.

I met this issue when tried to embed Jupyter notebook into another website by using chrome Version 84.0.4147.125.
The reason if chrome block the cookie due to the request is from different site. Old version of chrome may not have this issue. Notebook url(ip1:port) is different from frame ancestors(e.g. ip2:port). PUT request is failed even I set Content-Security-Policy on config file. So my suggestion is adding proxy forward strategy to make notebook url under the same site.

I am facing the same issue. At that time I thought it was nothing because I checked the last saving time. But now when I open the notebook my work has gone. Is there any way to recover it?

Is it time for someone to open a new issue with the error and repro steps as this was opened in 2017?

Ok, what if nteract and jupyter notebook come together to store the notebook in the Electron equivalent of localStorage. And then the changes are merged when a fresh token arrives. OR, remove the requirement for saving to have a xsrf token, only execution requires token security.

Ps, I brainstormed on this for 5 minutes and came up with 2 better designs than what we are dealing with now.

Ps, I brainstormed on this for 5 minutes and came up with 2 better designs than what we are dealing with now.

@briancullinan Not sure the point of this statement, are you going to send your idea in a PR or just congratulate yourself? Someone (you for example) needs to work on this or it won't change.

@BenRussert I meant, basic design principals would dictate a users data shouldn't be discarded at random. There is plenty of technology already available to prevent this stuff front happening. It's been around for decades. I don't have time right now. If were up to me the entire client would be rewritten. Is there a benefit to having a desktop app instead of a web app? I like the visual style of nteract better than jupyter notebook web but I don't see what other benefits there are to it... Community fracturing might by why this isn't fixed yet.

Ps, as someone who likes to save the output from their program, I'm at a loss too. We could talk about how awful Git tools are too? Like why I can see a graph on GitHub desktop?

@briancullinan I might try to help you more if you weren't so out of line. Your rant is confused and uninformed, all while acting smug like some kind of expert who doesnt need anyone else. I'd be upset and offended as a volunteer contributor if I wasn't so embarrassed for you after reading this.

Everyone else, I think I'll lock this three year old issue now, the original solution is in this comment. If there's a new bug please open a new issue explaining the bug and how to reproduce.