From ff826618c471d8573e39ae99164474c978d8eaff Mon Sep 17 00:00:00 2001
From: Jason Sherman <jsnshrmn@users.noreply.github.com>
Date: Fri, 29 Apr 2022 10:51:19 -0500
Subject: [PATCH] settings: allow CSRF token access in JS

---
 TWLight/settings/server.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/TWLight/settings/server.py b/TWLight/settings/server.py
index a2f5f68021..1c6ebf7e6b 100644
--- a/TWLight/settings/server.py
+++ b/TWLight/settings/server.py
@@ -16,6 +16,8 @@
 # Let Django know that allowed hosts are trusted for CSRF.
 # Needed to be added for /admin
 CSRF_TRUSTED_ORIGINS = ALLOWED_HOSTS
+# Allow CSRF token access in JavaScript
+CSRF_COOKIE_HTTPONLY = False
 
 # Never debug on servers
 DEBUG = False
@@ -24,7 +26,6 @@
 # python manage.py check --deploy
 SESSION_COOKIE_SECURE = True
 CSRF_COOKIE_SECURE = True
-CSRF_COOKIE_HTTPONLY = True
 X_FRAME_OPTIONS = "DENY"
 SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_BROWSER_XSS_FILTER = True