From dde014860a3b899e115c750096a1298824d66f32 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Sun, 16 Apr 2023 16:44:21 +0100
Subject: [PATCH] Unset HttpOnly for CSRF cookie

---
 website/settings.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/website/settings.py b/website/settings.py
index e87745d..c216f87 100644
--- a/website/settings.py
+++ b/website/settings.py
@@ -396,9 +396,11 @@ SECURE_REFERRER_POLICY = "same-origin"
 SESSION_COOKIE_SECURE = not DEBUG
 SESSION_COOKIE_AGE = 2419200  # About a month
 CSRF_COOKIE_SECURE = not DEBUG
-CSRF_COOKIE_HTTPONLY = True
 SESSION_COOKIE_HTTPONLY = True
 
+# https://github.com/wagtail/wagtail-autocomplete/issues/149
+CSRF_COOKIE_HTTPONLY = False
+
 SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
 
 PERMISSIONS_POLICY: dict[str, list] = {