Bug: Mandatory CSRF header hard to fill in javascript

[dylandoamaral]

Description

Hi today, CSRF request client to both send the cookie and a header however I have trouble to send the header since the cookie is a httpOnly one that I can't access in my javascript app. I don't understand why we need both, why is it mandatory, and if it is, how should I process to retrieve the cookie value to feed the header ?

Steps to reproduce

1. Run `document.cookie` when there is a CSRF token in a web browser
2. Find out we can't retrieve it, so when can feed the CSRF header

Litestar Version

2.12.1

Platform

• Linux
• Mac
• Windows
• Other (Please specify in the description above)

---

Note

While we are open for sponsoring on GitHub Sponsors and
OpenCollective, we also utilize Polar.sh to engage in pledge-based sponsorship.

Check out all issues funded or available for funding on our Polar.sh dashboard

• If you would like to see an issue prioritized, make a pledge towards it!
• We receive the pledge once the issue is completed & verified
• This, along with engagement in the community, helps us know which features are a priority to our users.

[provinzkraut]

Not sure why http only has been made the default, it doesn't really need to be. However, we can't simply change this, as it could break things. Best we can do for now is make it configurable?

@litestar-org/members