Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

CSRF verfication failed, but only with IE9

Tags:

django

csrf

django-csrf

I have set up CSRF as described in the Django docs (using Django 1.3). It works with FF and Safari, but on IE9 I get

<div id="summary">
<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>
</div>

In the response headers of the Ajax request I find

Set-Cookie  csrftoken=8db3637951243ffb591e6b2d6998ed03; expires=Fri, 14-Sep-2012 08:01:52 GMT; Max-Age=31449600; Path=/

It works in IE9 when using it in a normal Form (i.e. no Ajax involved).

I am using Django behind nginx/1.1.2.

Any hints what I am missing here?

like image 445
Django Asül Avatar asked Sep 16 '11 08:09

Django Asül

3 Answers

If your form is inside an iframe, the probable reason is IE's default policy of blocking third-party cookies. You could

  • not use an iframe,
  • bring the iframed page under the same domain as the main page,
  • disable CSRF for that particular form using the @csrf_exempt decorator, or
  • use HTTP headers to tell the browser to allow third-party cookies (see work-around #3 in Chase Seibert's excellent explanation of this issue).

Django's ticket #17157 proposes to add a note about this issue in the documentation.

like image 189
akaihola Avatar answered Nov 18 '22 18:11

akaihola

I had the same problem, the problem for me was that I did not specify the form action attribute. IE apparantly doesn't allow that.

like image 23
Peter Avatar answered Nov 18 '22 19:11

Peter

In Django's ticket #17157 (thanks @akaihola for the link) it's stated that the problem is that Internet Explorer blocks third-party cookies by default. So you can enable third-party cookies for all sites or only for your site in browser settings. Here is how to do that in IE 7 (from this link):

  1. Click the "Tools" menu
  2. Click "Internet Options"
  3. Select the "Privacy" tab

Option 1: To enable third-party cookies for all sites

  1. Click "Advanced"
  2. Select "Override automatic cookie handling"
  3. Select the "Accept" button under "Third-party Cookies" and click "OK"

OR

Option 2: To enable third-party cookies just for Feedjit.com

  1. Click "Sites"
  2. Add "your-domain.com" and click "Allow"
  3. Click "OK"
  4. Select the "Accept" button under "Third-party Cookies" and click "OK"
like image 1
Dennis Golomazov Avatar answered Nov 18 '22 18:11

Dennis Golomazov
Sign in to Comment

Related questions

How to create custom permission (user role) in Django?
Using gravatar in django
How to create a dynamic menu structure with Django?
django is very slow
How do you extend a django pluggable app?
Creating an array with jQuery of object IDs to process on Django backend
Handling percent-sign (%) in Django blocktrans tags
Setting yesterday as initial date in a Django Form
Create parent and children model objects from one form submission
django-sentry not recording warnings, errors, etc
How to keep Django app settings in database, or change on-the-fly?
Problems linking to static files in Django 1.3
How to properly reverse the Django auth login?
Django Sites - Different urls.py for two sites
Restart Django runserver with file changes
Django - No module named PIL
Django from the point of view of Zend Framework developer
mod_wsgi process getting killed and django stops working
How to get django models field value from model object in template tags
Django model layer for HBase support

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!