Menu
I want to create sessions in my Rails 4 application via an AJAX request in an iframe.
In the iframe I've included a form for a new session with the attribute remote: true as usual, and included <%= token_tag %> in the form body as well as <%= csrf_meta_tags %> in the head of the layout.
Chrome has no problem posting this form and creating a session. Under identical conditions Safari causes a CSRF exception.
Why does this happen, and what can I do to stop it? As I understand it, this is not a situation where CSRF is essential, as there is no session to hijack, but I'm still wary of turning it off.
Chrome version: 31.0.1650.63
Safari version: 7.0.1
653
Safari. Open Safari Preferences from the drop-down menu in the navigation bar or by typing Cmd + , (⌘,). Click the Privacy tab and make sure that "Cookies and website data" is set to either "Always allow" or "Allow from websites I visit".
Briefly, Cross-Site Request Forgery (CSRF) is an attack that allows a malicious user to spoof legitimate requests to your server, masquerading as an authenticated user. Rails protects against this kind of attack by generating unique tokens and validating their authenticity with each submission.
Rails CSRF Token The server generates these tokens, links them to the user session, and stores them in the database. This token is then injected into any form presented to the client as a hidden field. When the client correctly submits the form for validation, it passes the token back to the server.
It seems this is the famous 'third party cookies' problem. Safari disables them by default.
More: How do Third-Party "tracking cookies" work?
138
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
