diff --git a/binderhub/static/js/index.js b/binderhub/static/js/index.js index fc03894be..dbd9639ab 100644 --- a/binderhub/static/js/index.js +++ b/binderhub/static/js/index.js @@ -60,7 +60,7 @@ async function build(providerSpec, log, fitAddon, path, pathType) { $(".on-build").removeClass("hidden"); const buildToken = $("#build-token").data("token"); - let apiToken = $("#api-token").data("token"); + const apiToken = $("#api-token").data("token"); const buildEndpointUrl = new URL("build", BASE_URL); const image = new BinderRepository(providerSpec, buildEndpointUrl, { apiToken, diff --git a/js/packages/binderhub-client/lib/index.js b/js/packages/binderhub-client/lib/index.js index deff973a6..5497a858d 100644 --- a/js/packages/binderhub-client/lib/index.js +++ b/js/packages/binderhub-client/lib/index.js @@ -5,6 +5,7 @@ import { EventIterator } from "event-iterator"; function _getXSRFToken() { // from @jupyterlab/services + // https://github.com/jupyterlab/jupyterlab/blob/69223102d717f3d3e9f976d32e657a4e2456e85d/packages/services/src/contents/index.ts#L1178-L1184 let cookie = ""; try { cookie = document.cookie; @@ -12,6 +13,9 @@ function _getXSRFToken() { // e.g. SecurityError in case of CSP Sandbox return null; } + // extracts the value of the cookie named `_xsrf` + // by picking up everything between `_xsrf=` and the next semicolon or end-of-line + // `\b` ensures word boundaries, so it doesn't pick up `something_xsrf=`... const xsrfTokenMatch = cookie.match("\\b_xsrf=([^;]*)\\b"); if (xsrfTokenMatch) { return xsrfTokenMatch[1];