Disable XSRF protection in StreamlitFrontend to support upload in loc…

…alhost (#15684)

* Enable CORS in StreamlitFrontend to support upload
* Only disable XSRF when running on localhost
* Update test
* Use utility fn to detect if localhost

Co-authored-by: Luca Antiga <luca@lightning.ai>

src/lightning_app/frontend/stream_lit.py

@@ -6,6 +6,7 @@
 
 import lightning_app
 from lightning_app.frontend.frontend import Frontend
+from lightning_app.utilities.cloud import is_running_in_cloud
 from lightning_app.utilities.imports import requires
 from lightning_app.utilities.log import get_logfile
 
@@ -83,6 +84,8 @@ def start_server(self, host: str, port: int) -> None:
                     self.flow.name,
                     "--server.headless",
                     "true",  # do not open the browser window when running locally
+                    "--server.enableXsrfProtection",
+                    "true" if is_running_in_cloud() else "false",
                 ],
                 env=env,
                 stdout=stdout,

tests/tests_app/frontend/test_stream_lit.py

@@ -54,6 +54,8 @@ def test_streamlit_frontend_start_stop_server(subprocess_mock):
         "root.my.flow",
         "--server.headless",
         "true",
+        "--server.enableXsrfProtection",
+        "false",
     ]
 
     assert env_variables["LIGHTNING_FLOW_NAME"] == "root.my.flow"