Don't protect static assets from XSRF

[minrk]

JupyterHub 4.1 applies XSRF checks to authenticated GET requests, which is not necessary for static assets. It would be a valid alternative to not authenticate these requests.

This solves the static asset request, described in https://github.com/jupyterhub/jupyterhub/issues/4800

The userprofile request must be addressed in https://github.com/cylc/cylc-ui

Check List

• [x] I have read CONTRIBUTING.md and added my name as a Code Contributor.
• [x] Contains logically grouped changes (else tidy your branch by rebase).
• [x] Does not contain off-topic changes (use other PRs for other changes).
• [x] No dependency changes
• [x] Tests are not needed for this
• [x] CHANGES.md entry included if this is a change that can affect users
• [x] cylc-doc PR not needed
• [x] If this is a bug fix, PR should be raised against the relevant ?.?.x branch.

[MetRonnie]

@oliver-sanders I think this should be on 1.4.5 milestone?

[oliver-sanders]

(we will probs skip 1.4.5 since we are near ready for 1.5.0 release but we can merge it through as normal)

[minrk]

I added one more commit based on https://github.com/jupyterhub/jupyterhub/issues/4800#issuecomment-2092945342 to ensure the xsrf cookie is set on GET /cylc/