id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
17157	CSRF fails in cross-domain iframes on IE	Antti Kaihola		"Internet Explorer >=6
[http://en.wikipedia.org/wiki/HTTP_cookie#Browser_settings blocks third-party cookies by default].
This [http://bitkickers.blogspot.com/2011/06/django-csrf-verification-failed-in-ie.html causes CSRF to fail]
for forms which are in iframes which come from a different domain. The user gets this message:
{{{
Forbidden (403)
CSRF verification failed. Request aborted.
}}}

When a developer hits this problem,
[http://stackoverflow.com/questions/7441889/#7991359 possible solutions]
are

* not use an iframe
* bring the iframed page under the same domain as the main page
* use the [https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#edge-cases @csrf_exempt]
  decorator for the form
* add HTTP headers to tell the browser to allow third-party cookies (see
  [http://bitkickers.blogspot.com/2011/06/django-csrf-verification-failed-in-ie.html Chase Seibert's work around #3]) 

None of the solutions can be made for the developer by Django,
so the best Django can do is to provide a note about this corner case in the
[https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#scenarios Scenarios section of the CSRF documentation]."	New feature	closed	Documentation	dev	Normal	wontfix	csrf iframe ie		Unreviewed	0	0	0	0	0	0