From fc14e755ac587da34c4d0a8d3d6e2cb3dc8a34a4 Mon Sep 17 00:00:00 2001
From: Oliver Lopez <lopezv.oliver@gmail.com>
Date: Mon, 25 Nov 2024 10:29:11 +0300
Subject: [PATCH 1/2] Added a httponly option for HTMLResponse.set_cookie

---
 solara/server/settings.py  | 1 +
 solara/server/starlette.py | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/solara/server/settings.py b/solara/server/settings.py
index 42c9aaa4b..49904c02c 100644
--- a/solara/server/settings.py
+++ b/solara/server/settings.py
@@ -132,6 +132,7 @@ class Config:
 
 class Session(BaseSettings):
     secret_key: str = SESSION_SECRET_KEY_DEFAULT
+    http_only: Optional[bool] = None
     https_only: Optional[bool] = None
     same_site: str = "lax"
 
diff --git a/solara/server/starlette.py b/solara/server/starlette.py
index cc83a0d91..5fb08c314 100644
--- a/solara/server/starlette.py
+++ b/solara/server/starlette.py
@@ -444,6 +444,7 @@ async def root(request: Request, fullpath: str = ""):
     session_id = request.cookies.get(server.COOKIE_KEY_SESSION_ID) or str(uuid4())
     samesite = "lax"
     secure = False
+    httponly = settings.session.http_only
     # we want samesite, so we can set a cookie when embedded in an iframe, such as on huggingface
     # however, samesite=none requires Secure https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
     # when hosted on the localhost domain we can always set the Secure flag
@@ -469,6 +470,7 @@ async def root(request: Request, fullpath: str = ""):
         expires="Fri, 01 Jan 2038 00:00:00 GMT",
         samesite=samesite,  # type: ignore
         secure=secure,  # type: ignore
+        httponly=httponly,  # type: ignore
     )  # type: ignore
     return response
 

From ba463f18c7ff355e93a29baa11e43f7db681df7e Mon Sep 17 00:00:00 2001
From: Oliver Lopez <lopezv.oliver@gmail.com>
Date: Tue, 26 Nov 2024 16:51:15 +0300
Subject: [PATCH 2/2] Update solara/server/settings.py

Co-authored-by: Maarten Breddels <maartenbreddels@gmail.com>
---
 solara/server/settings.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solara/server/settings.py b/solara/server/settings.py
index 49904c02c..bd7b83e26 100644
--- a/solara/server/settings.py
+++ b/solara/server/settings.py
@@ -132,7 +132,7 @@ class Config:
 
 class Session(BaseSettings):
     secret_key: str = SESSION_SECRET_KEY_DEFAULT
-    http_only: Optional[bool] = None
+    http_only: bool = False
     https_only: Optional[bool] = None
     same_site: str = "lax"