6

I have set up CSRF as described in the Django docs (using Django 1.3). It works with FF and Safari, but on IE9 I get

<div id="summary">
<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>
</div>

In the response headers of the Ajax request I find

Set-Cookie  csrftoken=8db3637951243ffb591e6b2d6998ed03; expires=Fri, 14-Sep-2012 08:01:52 GMT; Max-Age=31449600; Path=/

It works in IE9 when using it in a normal Form (i.e. no Ajax involved).

I am using Django behind nginx/1.1.2.

Any hints what I am missing here?

Community
  • 1
  • 1
Django Asül
  • 111
  • 1
  • 4

3 Answers3

3

I had the same problem, the problem for me was that I did not specify the form action attribute. IE apparantly doesn't allow that.

Peter
  • 1,658
  • 17
  • 23
3

If your form is inside an iframe, the probable reason is IE's default policy of blocking third-party cookies. You could

Django's ticket #17157 proposes to add a note about this issue in the documentation.

akaihola
  • 26,309
  • 7
  • 59
  • 69
1

In Django's ticket #17157 (thanks @akaihola for the link) it's stated that the problem is that Internet Explorer blocks third-party cookies by default. So you can enable third-party cookies for all sites or only for your site in browser settings. Here is how to do that in IE 7 (from this link):

  1. Click the "Tools" menu
  2. Click "Internet Options"
  3. Select the "Privacy" tab

Option 1: To enable third-party cookies for all sites

  1. Click "Advanced"
  2. Select "Override automatic cookie handling"
  3. Select the "Accept" button under "Third-party Cookies" and click "OK"

OR

Option 2: To enable third-party cookies just for Feedjit.com

  1. Click "Sites"
  2. Add "your-domain.com" and click "Allow"
  3. Click "OK"
  4. Select the "Accept" button under "Third-party Cookies" and click "OK"
Dennis Golomazov
  • 16,269
  • 5
  • 73
  • 81