Django Iframe Safari Fix

Question

So based on information here Safari 3rd party cookie iframe trick no longer working? and here Missing cookies on iframe in safari 5.1.5 it's clear that old tricks wont work:

from django.http import HttpResponse
from django.conf import settings


SESSION_COOKIE_NAME = getattr(settings, 'SESSION_COOKIE_NAME')

class SafariIFrameFixMiddleware(object):
    """
    Middleware fixes sessions with Safari browser in iframes

    Safari default security policy restricts
    cookie setting in first request in iframe

    Solution is to create hidden form to preserve GET variables
    and REPOST it to current URL
    """
    def process_request(self, request):
        if request.META['HTTP_USER_AGENT'].find('Safari') != -1 \
                and request.META['HTTP_USER_AGENT'].find('Chrome') == -1 \
                and SESSION_COOKIE_NAME not in request.COOKIES \
                and 'cookie_fix' not in request.GET:
            html = """<html><body><form name='cookie_fix' method='GET' action='.'>"""
            for item in request.GET:
                html += "<input type='hidden' value='%s' name='%s' />" % (request.GET[item], item)
            html += "<input type='hidden' name='cookie_fix' value='1' />"
            html += "</form>"
            html += '''<script type="text/javascript">document.cookie_fix.submit()</script></html>'''
            return HttpResponse(html)
        else:
            return

So I'm seeking new way to solve it.

It seems that it requires open up window (with user permission/click or it will be blocked by safari) and start session there.

Problem is that the very same popup page will ran true all of the middlewares thus it not may be always viable inside project (want as little intrusive fix as possible).

Also django session starting is inside middleware as well, I haven't found any clean way of starting one manually. Any suggestions?

Answer 1

I've created working version of fix and uploaded to pypi here: http://pypi.python.org/pypi/django-iframetoolbox

Note: It might not be stable until 0.2 version

Answer 2

I too have created a work around similar to JackLeo's. You can use the middleware or a decorator https://github.com/philroche/django-httpsiframecookiesetter as well as a few more options.