fix(csrf): add exception for electron for httpOnly cookie

it does not seem to like having httpOnly set in electron
2025-10-26 07:46:30 +01:00 · 2025-01-17 09:23:00 +01:00
parent b2e1a3e97a
commit 9382c278b3
1 changed files with 2 additions and 1 deletions
--- a/src/routes/csrf_protection.ts
+++ b/src/routes/csrf_protection.ts
@@ -1,5 +1,6 @@
 import { doubleCsrf } from "csrf-csrf";
 import sessionSecret from "../services/session_secret.js";
+import { isElectron } from "../services/utils.js";

 const doubleCsrfUtilities = doubleCsrf({
    getSecret: () => sessionSecret,
@@ -7,7 +8,7 @@ const doubleCsrfUtilities = doubleCsrf({
        path: "", // empty, so cookie is valid only for the current path
        secure: false,
        sameSite: "strict",
-        httpOnly: true
+        httpOnly: !isElectron() // set to false for Electron, see https://github.com/TriliumNext/Notes/pull/966
    },
    cookieName: "_csrf"
 });