'_xsrf' argument missing from POST Cannot connect to remote Jupyter server

[clayms]

Issue Type: Bug
An instance of Jupyter Labs works without issue from the same computer. However, with VS Code I get Invalid response: 403 Forbidden.

This only started happening recently after a VS Code update. I have not updated Jupyter.

The Jupyter Server terminal shows (only when trying to connect from VS Code):

[W 2021-08-12 21:06:16.694 ServerApp] Forbidden
[W 2021-08-12 21:06:16.695 ServerApp] 403 GET /api/sessions?1628802376650 (10.23
[W 2021-08-12 21:06:16.696 ServerApp] 403 POST /api/sessions?1628802376654 (10.2
[W 2021-08-12 21:06:16.696 ServerApp] '_xsrf' argument missing from POST

Extension version: 2021.8.1195043623
VS Code version: Code 1.59.0 (379476f0e13988d90fab105c5c19e7abc8b1dea8, 2021-08-04T23:13:12.822Z)
OS version: Windows_NT x64 10.0.14393
Restricted Mode: No

System Info

Item	Value
CPUs	Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz (2 x 2400)
GPU Status	2d_canvas: unavailable_software gpu_compositing: disabled_software multiple_raster_threads: disabled_off oop_rasterization: disabled_off opengl: disabled_off rasterization: disabled_software skia_renderer: enabled_on video_decode: disabled_software vulkan: disabled_off webgl: unavailable_software webgl2: unavailable_software
Load (avg)	undefined
Memory (System)	8.00GB (1.16GB free)
Process Argv	--crash-reporter-id 1e88d7ed-dfc2-42ed-b5d3-970568cb872e
Screen Reader	no
VM	0%

A/B Experiments

vsliv368:30146709
vsreu685:30147344
python383cf:30185419
pythonvspyt700cf:30270857
pythonvspyt602:30300191
vspor879:30202332
vspor708:30202333
vspor363:30204092
vswsl492cf:30256860
vstes516:30244333
pythonvspyt639:30300192
pythontb:30283811
pythonptprofiler:30281270
vshan820:30294714
vstes263:30335439
pythondataviewer:30285071
pythonvsuse255:30340121
vscod805cf:30301675
pythonvspyt200:30340761
vscextlangct:30333562
binariesv615:30325510
pythonvssor306:30344512
bridge0708:30335490
vstre464cf:30350173
bridge0723cf:30351748

[DonJayamanne]

Thanks for filing this issue, I'll look into this today.

[DonJayamanne]

I'm sorry, but I'm unable to replicate this issue

• What version of Jupyter lab do you have
• What version of Python do you have installed?
• Is it anaconda, pip env, or other?
• Are you using Jupyter Lab or Jupyter Hub?
• Also what kind of authorization are you using? Username password?

[jonasbb]

I am running into this issue too. Here are the details about my environment:

• What version of Jupyter lab do you have
  • jupyter lab --version says 3.1.9
• What version of Python do you have installed?
  • Python 3.9.6
• Is it anaconda, pip env, or other?
  • pip
• Are you using Jupyter Lab or Jupyter Hub?
  • Jupyter Lab
• Also what kind of authorization are you using? Username password?
  • Token authentication with a server running on localhost.
    http://localhost:8888/lab?token=TOKEN

I have VS Code Version 1.59.1 with Jupyter extension v2021.8.1236758218. In the "Pick how to connect to Jupyter" dialog, I selected "Existing" and pasted the token-URL.
This is the warning output on the CLI of the jupyter lab instance:

[W 2021-08-27 15:26:21.073 ServerApp] Forbidden
[W 2021-08-27 15:26:21.073 ServerApp] 403 GET /api/sessions?1630070780900 (::1) 0.92ms referer=None
[W 2021-08-27 15:26:21.073 ServerApp] Forbidden
[W 2021-08-27 15:26:21.073 ServerApp] 403 GET /api/kernelspecs?1630070780912 (::1) 0.97ms referer=None
[W 2021-08-27 15:26:21.073 ServerApp] 403 POST /api/sessions?1630070780919 (::1): '_xsrf' argument missing from POST
[W 2021-08-27 15:26:21.073 ServerApp] '_xsrf' argument missing from POST
[W 2021-08-27 15:26:21.073 ServerApp] 403 POST /api/sessions?1630070780919 (::1) 1.13ms referer=None

[clayms]

@jonasbb
Try accepting all cookies in the LYNX browser that pops up in the terminal when you start the Jupyter Lab. You may have to try multiple times to get it to finally work.

This is a bug. Jupyter Labs opens just fine in a browser without having to do this. It is only this VS Code extension that has this issue. Though it could likely be any environment other than the browser.

---

To get the LYNX browser to accept cookies:

1. after you start Jupyter Labs, the LYNX browser will start in your terminal. you should see:

Commands: Use arrow keys to move, '?' for help, 'q' to quit, '<-' to go back.
  Arrow keys: Up and Down to move.  Right to follow a link; Left to go back.
 H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list

2. with the same terminal active, press the Enter key. You should see something like:

<your_ip_address> cookie: username-<your_ip_address>-8=2|1:0|10:1630081600|27:username-<your_ip_address>-8891|44:oijnfdvubwhebfmblkKBJHBvhvvh=|khsabdvjsadbgvJHBBjkbJhjsdbba774etbudsaubdusa Allow? (Y/N/Always/neVer)

3. Enter A. you should briefly see:

'A'lways allowing from domain '<your_ip_address>'.

before it reverts to:

Commands: Use arrow keys to move, '?' for help, 'q' to quit, '<-' to go back.

Not sure if it matters, but at this point I usually press q, then y to quit the LYNX browser.

[jonasbb]

@clayms Opening the browser and using jupyter lab from the browser work fine. I don't understand the suggestion to use the lynx browser.

[clayms]

@jonasbb
Yes, but the whole point of this issue thread is the problem getting it to work in the VS Code Jupyter extension.

[clayms]

@jonasbb

I see you edited your comment to include "I don't understand the suggestion to use the lynx browser."

I did not suggest using the LYNX browser. The LYNX browser is a terminal-only browser that starts automatically every time you start any Jupyter server.

To prevent this from happening set the --browser flag to False. Then you won't have to do anything with the LYNX browser at all.
e.g. start your Jupyter server with:

jupyter lab --ip=<your_ip_address>  --browser=False

Note: If you are running from localhost and not a remote server, you can drop the --ip flag.

[jonasbb]

@clayms Let me clarify my situation:

1. Starting jupyterlab works fine, either with browser or without (--no-browser).
2. There is no LYNX on the machine. The browser started is a normal GUI browser. Using jupyterlab from within the browser works. The browser accepts cookies by default.
3. Connecting VSCode to jupyterlab via the http://localhost:8888/lab?token=TOKEN URL works. The problem appears when executing a cell. For each execution request I see the _xsrf warning in the log of jupyterlab.

[clayms]

@jonasbb

You issue is possibly related to mine, but I am not sure. I am always starting a Jupyter server on a remote server and then pasting the resulting link+token in VS Code. Several versions ago, Anaconda started using the LYNX terminal based browser as default. Though this may only happen if Anaconda can't find a system browser. Anaconda even has LYNX in its repo: https://anaconda.org/conda-forge/lynx.

In any case, when running from a remote server, either using the command-line option --browser=False, or accepting all cookies in the LYNX browser that automatically starts after starting Jupyter Labs solved the problem for me.

[DonJayamanne]

@clayms
Please could you start juyter with the following CLI arg --allow_remote_access=true, that works for me.

[fabiopedroa1982]

thanks very much, working

[jaredyam]

Same issue here, but I have solved this issue by changing my custom jupyter configure, which has been discussed in nteract/hydrogen#922 (comment)

[DonJayamanne]

@clayms please could you try the same thing

[clayms]

using --browser=False or --allow_remote_access=true fixes the problem for me.

I don't want to change c.NotebookApp.disable_check_xsrf from False to True. From what I read in that issue thread, it could open up a security vulnerability.

[DonJayamanne]

Thanks for getting back with the confirmation that it works.
Closing this issue, as it has been fixed.