Opened 13 years ago
Closed 5 years ago
#17157 closed New feature (wontfix)
CSRF fails in cross-domain iframes on IE
Reported by: | Antti Kaihola | Owned by: | |
---|---|---|---|
Component: | Documentation | Version: | dev |
Severity: | Normal | Keywords: | csrf iframe ie |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Internet Explorer >=6
blocks third-party cookies by default.
This causes CSRF to fail
for forms which are in iframes which come from a different domain. The user gets this message:
Forbidden (403) CSRF verification failed. Request aborted.
When a developer hits this problem,
possible solutions
are
- not use an iframe
- bring the iframed page under the same domain as the main page
- use the @csrf_exempt decorator for the form
- add HTTP headers to tell the browser to allow third-party cookies (see Chase Seibert's work around #3)
None of the solutions can be made for the developer by Django,
so the best Django can do is to provide a note about this corner case in the
Scenarios section of the CSRF documentation.
Change History (11)
comment:1 by , 13 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 12 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:3 by , 12 years ago
comment:4 by , 12 years ago
Unfortunately I can't recall details of the upload functionality I was implementing when I created this ticket. I would assume that I wasn't using any JavaScript library but made a plain HTML form inside an iframe.
In this case a straightforward solution would have been getting rid of the requirement of serving the iframe contents from a separate subdomain. That's what I probably meant by "bring the iframed page..".
CSRF in query parameters would probably work. I don't seem to have thought of it back then.
comment:5 by , 12 years ago
Owner: | removed |
---|---|
Status: | assigned → new |
comment:6 by , 11 years ago
Easy pickings: | unset |
---|
comment:7 by , 9 years ago
Needs documentation: | set |
---|---|
Owner: | set to |
Status: | new → assigned |
Will be adding documentation specific to IE >=6 and iframes
.
comment:8 by , 8 years ago
Owner: | removed |
---|---|
Status: | assigned → new |
comment:9 by , 7 years ago
Owner: | set to |
---|---|
Status: | new → assigned |
comment:10 by , 7 years ago
Owner: | removed |
---|---|
Status: | assigned → new |
comment:11 by , 5 years ago
Needs documentation: | unset |
---|---|
Resolution: | → wontfix |
Status: | new → closed |
Triage Stage: | Accepted → Unreviewed |
Microsoft deprecated all versions of Internet Explorer (see related #31032) hence we'll not describe any new IE workarounds/caveats in Django docs.
A few questions about this and the proposed workarounds.