Opened 10 years ago

Closed 16 months ago

#17157 closed New feature (wontfix)

CSRF fails in cross-domain iframes on IE

Reported by: Antti Kaihola Owned by:
Component: Documentation Version: dev
Severity: Normal Keywords: csrf iframe ie
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Internet Explorer >=6
blocks third-party cookies by default.
This causes CSRF to fail
for forms which are in iframes which come from a different domain. The user gets this message:

Forbidden (403)
CSRF verification failed. Request aborted.

When a developer hits this problem,
possible solutions
are

None of the solutions can be made for the developer by Django,
so the best Django can do is to provide a note about this corner case in the
Scenarios section of the CSRF documentation.

Change History (11)

comment:1 Changed 10 years ago by Luke Plant

Triage Stage: UnreviewedAccepted

comment:2 Changed 9 years ago by Susan Tan

Owner: changed from nobody to Susan Tan
Status: newassigned

comment:3 Changed 8 years ago by jedierikb@…

A few questions about this and the proposed workarounds.

  1. Could you elaborate bring the iframed page under the same domain as the main page? When using a javascript library like jQuery File Upload https://github.com/blueimp/jQuery-File-Upload, their javascript dynamically creates an iFrame with a form. How could the use of the library or the library itself be adjusted so as to avoid the problems described in this bug? Does it matter if the library is loaded from another site hosted elsewhere?
  1. Can you pass CSRF credentials as URL parameters? This is suggested by the author of the jQuery File Upload library here https://github.com/blueimp/jQuery-File-Upload/pull/148#issuecomment-4251262. What are the concerns, precautions to take when doing this?

comment:4 Changed 8 years ago by Antti Kaihola

Unfortunately I can't recall details of the upload functionality I was implementing when I created this ticket. I would assume that I wasn't using any JavaScript library but made a plain HTML form inside an iframe.

In this case a straightforward solution would have been getting rid of the requirement of serving the iframe contents from a separate subdomain. That's what I probably meant by "bring the iframed page..".

CSRF in query parameters would probably work. I don't seem to have thought of it back then.

comment:5 Changed 8 years ago by anonymous

Owner: Susan Tan deleted
Status: assignednew

comment:6 Changed 8 years ago by Tim Graham

Easy pickings: unset

comment:7 Changed 6 years ago by Joshua Kehn

Needs documentation: set
Owner: set to Joshua Kehn
Status: newassigned

Will be adding documentation specific to IE >=6 and iframes.

comment:8 Changed 5 years ago by Joshua Kehn

Owner: Joshua Kehn deleted
Status: assignednew

comment:9 Changed 4 years ago by Lukas Udstuen

Owner: set to Lukas Udstuen
Status: newassigned

comment:10 Changed 4 years ago by Lukas Udstuen

Owner: Lukas Udstuen deleted
Status: assignednew

comment:11 Changed 16 months ago by Mariusz Felisiak

Needs documentation: unset
Resolution: wontfix
Status: newclosed
Triage Stage: AcceptedUnreviewed

Microsoft deprecated all versions of Internet Explorer (see related #31032) hence we'll not describe any new IE workarounds/caveats in Django docs.

Note: See TracTickets for help on using tickets.
Back to Top