Django csrf cookie not set for subdomain when accessing an iframe on a third party site

My application has worked well so far when everything was done by accessing its public IP address.

It is now added to the main site as app.mainsite.com. This is how it is available. I can get in, etc., everything.

But my app is a little bit special about it, a certain feature of it allows its users to open one of their URLs in an iframe on any third party site where application scripts are embedded in the html in order to perform certain application activity on those third party sites. Now everyone could see the new content that the application was bringing to these third-party sites, but to change some settings regarding how to enter my application. If not, it would be possible to redirect inside the modal itself, and if the login was successful, they would be redirected to the edit options page. Basically, any recording requests from third party sites required the site owner to be registered with our app. Either they can login to the modal, or login from another tab,and then refresh your site to be able to enter edit view.

The problem is that everything worked fine before. Now I can create a post with csrf tokens from app.mainsite.com, but when it opens in an iframe it issues CSRF cookie not set

.

I checked the Resources tab and there csrftoken

is no match csrfmiddlewaretoken

in app.mainsite.com on the form. Obviously CSRF doesn't work.

How can I overcome this?

I tried to install CSRF_COOKIE_DOMAIN='.mainsite.com'

but it didn't work.

What can I do?

+1


source to share


2 answers


It turned out to be a bug in the Chromium Ubuntu build. Yes, I used Chromium (and I am using Ubuntu as my OS) The plnkr link provided by this person did not work in Chromium. But it worked fine in Chrome and Firefox.



Tested my app in Chrome and Firefox too; works the same as before.

+1


source


you can try adding @csrf_exempt decorator around the view which is responsible for the response ... but of course this will disable CSRF checking ...



from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
def your_view(request):
    ...

      

0


source







All Articles