Bug: Mandatory CSRF header hard to fill in javascript

[dylandoamaral]

Description

Hi today, CSRF request client to both send the cookie and a header however I have trouble to send the header since the cookie is a httpOnly one that I can't access in my javascript app. I don't understand why we need both, why is it mandatory, and if it is, how should I process to retrieve the cookie value to feed the header ?

Steps to reproduce

1. Run `document.cookie` when there is a CSRF token in a web browser
2. Find out we can't retrieve it, so we can't feed the CSRF header

Litestar Version

2.12.1

Platform

• Linux
• Mac
• Windows
• Other (Please specify in the description above)

[provinzkraut]

Not sure why http only has been made the default, it doesn't really need to be. However, we can't simply change this, as it could break things. Best we can do for now is make it configurable?

@litestar-org/members

[marcuslimdw]

@provinzkraut curious - what would it break? isn't non-HttpOnly strictly more permissive?