From 9382c278b38ef14a3653590fab3156bfa0674527 Mon Sep 17 00:00:00 2001
From: Panagiotis Papadopoulos <pano_90@gmx.net>
Date: Fri, 17 Jan 2025 09:23:00 +0100
Subject: [PATCH] fix(csrf): add exception for electron for httpOnly cookie

it does not seem to like having httpOnly set in electron
---
 src/routes/csrf_protection.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/routes/csrf_protection.ts b/src/routes/csrf_protection.ts
index 0c7968af8..514758c5a 100644
--- a/src/routes/csrf_protection.ts
+++ b/src/routes/csrf_protection.ts
@@ -1,5 +1,6 @@
 import { doubleCsrf } from "csrf-csrf";
 import sessionSecret from "../services/session_secret.js";
+import { isElectron } from "../services/utils.js";
 
 const doubleCsrfUtilities = doubleCsrf({
     getSecret: () => sessionSecret,
@@ -7,7 +8,7 @@ const doubleCsrfUtilities = doubleCsrf({
         path: "", // empty, so cookie is valid only for the current path
         secure: false,
         sameSite: "strict",
-        httpOnly: true
+        httpOnly: !isElectron() // set to false for Electron, see https://github.com/TriliumNext/Notes/pull/966
     },
     cookieName: "_csrf"
 });