Tools/Notes
1
0
Fork 0
mirror of https://github.com/TriliumNext/Notes.git synced 2025-08-10 10:22:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #966 from pano9000/fix_csrf-electron-httpOnly

Browse Source 
fix(csrf): add exception for electron for httpOnly cookie
This commit is contained in:
Elian Doran 2025-01-17 18:36:02 +02:00 committed by GitHub
commit 467852191d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/routes/csrf_protection.ts
View File

@ -1,5 +1,6 @@
import { doubleCsrf } from "csrf-csrf";
import sessionSecret from "../services/session_secret.js";
import { isElectron } from "../services/utils.js";
const doubleCsrfUtilities = doubleCsrf({
getSecret: () => sessionSecret,
@ -7,7 +8,7 @@ const doubleCsrfUtilities = doubleCsrf({
path: "", // empty, so cookie is valid only for the current path
secure: false,
sameSite: "strict",
httpOnly: true
httpOnly: !isElectron() // set to false for Electron, see https://github.com/TriliumNext/Notes/pull/966
},
cookieName: "_csrf"
});