CORS is not checked when browsing files. check origin now https://github.com/jupyter-server/jupyter_server/issues/1459

[gogasca]

Add check_origin check during check_xsrf_cookie for files.
Details:
#1459

[vidartf]

@gogasca Thanks for the issue and the PR. I've been reading it, and agree that the allow_origin_pat should be checked in this case as well. That said, in the exception handler there is already some code to call check_referer for GET and HEAD, and the docstring of that method already specifically mentions the /files endpoint, so I think it should probably be the method used here (at least for GET/HEAD). Also, I want to be careful to see if there are any configuration scenarios where the extra check would fail some existing behavior that we still want to allow, so I've been discussing this in the dev call (cc @Zsailer ), so the review might take a bit longer.

Happy for any input you have on the above, and thanks again!