1. 技术文章
  2. CSRF verfication failed, but only with IE9

CSRF verfication failed, but only with IE9

自古美人都是妖i 提交于 2019-12-04 23:39:48

问题


I have set up CSRF as described in the Django docs (using Django 1.3). It works with FF and Safari, but on IE9 I get

<div id="summary">
<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>
</div>

In the response headers of the Ajax request I find

Set-Cookie  csrftoken=8db3637951243ffb591e6b2d6998ed03; expires=Fri, 14-Sep-2012 08:01:52 GMT; Max-Age=31449600; Path=/

It works in IE9 when using it in a normal Form (i.e. no Ajax involved).

I am using Django behind nginx/1.1.2.

Any hints what I am missing here?


回答1:


If your form is inside an iframe, the probable reason is IE's default policy of blocking third-party cookies. You could

  • not use an iframe,
  • bring the iframed page under the same domain as the main page,
  • disable CSRF for that particular form using the @csrf_exempt decorator, or
  • use HTTP headers to tell the browser to allow third-party cookies (see work-around #3 in Chase Seibert's excellent explanation of this issue).

Django's ticket #17157 proposes to add a note about this issue in the documentation.




回答2:


I had the same problem, the problem for me was that I did not specify the form action attribute. IE apparantly doesn't allow that.




回答3:


In Django's ticket #17157 (thanks @akaihola for the link) it's stated that the problem is that Internet Explorer blocks third-party cookies by default. So you can enable third-party cookies for all sites or only for your site in browser settings. Here is how to do that in IE 7 (from this link):

  1. Click the "Tools" menu
  2. Click "Internet Options"
  3. Select the "Privacy" tab

Option 1: To enable third-party cookies for all sites

  1. Click "Advanced"
  2. Select "Override automatic cookie handling"
  3. Select the "Accept" button under "Third-party Cookies" and click "OK"

OR

Option 2: To enable third-party cookies just for Feedjit.com

  1. Click "Sites"
  2. Add "your-domain.com" and click "Allow"
  3. Click "OK"
  4. Select the "Accept" button under "Third-party Cookies" and click "OK"


来源:https://stackoverflow.com/questions/7441889/csrf-verfication-failed-but-only-with-ie9

标签
django
csrf
django-csrf
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!