settings: allow CSRF token access in JS

WikipediaLibrary · Apr 29, 2022 · ff82661 · ff82661
1 parent 74d1ed2
commit ff82661
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/TWLight/settings/server.py b/TWLight/settings/server.py
@@ -16,6 +16,8 @@
 # Let Django know that allowed hosts are trusted for CSRF.
 # Needed to be added for /admin
 CSRF_TRUSTED_ORIGINS = ALLOWED_HOSTS
+# Allow CSRF token access in JavaScript
+CSRF_COOKIE_HTTPONLY = False
 
 # Never debug on servers
 DEBUG = False
@@ -24,7 +26,6 @@
 # python manage.py check --deploy
 SESSION_COOKIE_SECURE = True
 CSRF_COOKIE_SECURE = True
-CSRF_COOKIE_HTTPONLY = True
 X_FRAME_OPTIONS = "DENY"
 SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_BROWSER_XSS_FILTER = True