CSRF XSRF - problem with reading token from cookie


I have developed REST API, and two JavaScript clients (Single Page App & native app - based on electron). In both clients my users are authenticating via OAuth2 flow:

  1. sends user-password to server
  2. gets access_token (in plain text) and refresh_token (in httponly cookie)
  3. when token expires they are refreshing it sending request to /refresh endpoint (server reads refresh_token from cookie)

Now I would like to implement csrf protection. So I added it on my back-end side (Spring):

public void configure(HttpSecurity http) throws Exception {
            .authorizeRequests().antMatchers("/", "/index.html", "/token/**").permitAll()

My SPA works perfectly, angular reads XSRF-TOKEN from cookie and sends it in X-XSRF-TOKEN header. I got problem with electron app. It doesn’t have access to cookie (because of different origin - electron is running on file:// url), so it is unable to set X-XSRF-TOKEN header.

How can I deal with it? Is there any way to instatiate “cross-origin” cookie (specify domains which can read cookie)? Or maybe I can somehow take the cookie value via electron magic electron API (if it has access to file-system, maybe it have access to any cookie which is created on the machine)? Or I can somehow implement proxy inside my electron app?


I have also placed question on stackoverflow, so feel free to add answer there if you more prefer: