Include XSRF token in userprofile request

[minrk]

JupyterHub 4.1 applies XSRF checks consistently to authenticated GET requests, so apply the same getCylcHeaders logic in the graphQL POST request to all requests (userprofile was the only other one I found). As a result, the getCylcHeaders is moved to a common location in utils/url, rather than being confined to graphQL.

This solves the userprofile request, described in https://github.com/jupyterhub/jupyterhub/issues/4800

Together with https://github.com/cylc/cylc-uiserver/pull/592, cylc works with JupyterHub 4.1.5

Check List

• [x] I have read CONTRIBUTING.md and added my name as a Code Contributor.
• [x] Contains logically grouped changes (else tidy your branch by rebase).
• [x] Does not contain off-topic changes (use other PRs for other changes).
• [x] Tests are not needed for this change
• [x] CHANGES.md entry included if this is a change that can affect users

[oliver-sanders]

Many thanks for your fixes @minrk, greatly appreciated!

[minrk]

Worth linking this comment where I suggested using API tokens to make API requests, which avoids all xsrf fiddliness. This PR is the smallest change to keep things working as they are.

I didn't make the API token change because I don't know the best way to get the token from the Python to javascript in your stack, but if someone wants to take that on, the token is available as token = self.hub_auth.get_token(self) when using JupyterHub authentication, and can then be injected into templates for authenticated pages, etc.