Fix WebSocket CSRF validation failure on Chromium browsers over HTTPS

SameSite=Strict cookies are not sent with WebSocket upgrade requests on
Chromium-based browsers (Brave confirmed), causing the CSRF cookie
check at connect time to fail with 'csrf cookie mismatch'. This breaks
the state_sync namespace, preventing the UI from loading chats.

Change SameSite from Strict to Lax for both the Flask session cookie
and the JavaScript-set CSRF token cookie. Lax still prevents cross-site
POST CSRF while allowing same-origin WebSocket upgrades to include
cookies.

Fixes #1237

run_ui.py

@@ -52,7 +52,7 @@ WerkzeugRequest.max_form_memory_size = UPLOAD_LIMIT_BYTES
 webapp.config.update(
     JSON_SORT_KEYS=False,
     SESSION_COOKIE_NAME="session_" + runtime.get_runtime_id(),  # bind the session cookie name to runtime id to prevent session collision on same host
-    SESSION_COOKIE_SAMESITE="Strict",
+    SESSION_COOKIE_SAMESITE="Lax",
     SESSION_PERMANENT=True,
     PERMANENT_SESSION_LIFETIME=timedelta(days=1),
     MAX_CONTENT_LENGTH=int(os.getenv("FLASK_MAX_CONTENT_LENGTH", str(UPLOAD_LIMIT_BYTES))),

webui/js/api.js

@@ -219,7 +219,7 @@ export async function getCsrfToken() {
       if (cookieRuntimeId) {
         const _secureFlag =
           window.location.protocol === "https:" ? "; Secure" : "";
-        document.cookie = `csrf_token_${cookieRuntimeId}=${csrfToken}; SameSite=Strict; Path=/${_secureFlag}`;
+        document.cookie = `csrf_token_${cookieRuntimeId}=${csrfToken}; SameSite=Lax; Path=/${_secureFlag}`;
       } else {
         console.warn("CSRF runtime id missing; skipping cookie name binding.");
       }