CSRF验证失败,但仅适用于IE9 [英] CSRF verfication failed, but only with IE9
问题描述
我已按照 Django docs (使用Django 1.3)中所述设置了CSRF 。它适用于FF和Safari,但在IE9上,我得到
I have set up CSRF as described in the Django docs (using Django 1.3). It works with FF and Safari, but on IE9 I get
<div id="summary">
<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>
</div>
在Ajax请求的响应头文件中,我发现
In the response headers of the Ajax request I find
Set-Cookie csrftoken=8db3637951243ffb591e6b2d6998ed03; expires=Fri, 14-Sep-2012 08:01:52 GMT; Max-Age=31449600; Path=/
它在IE9中以普通窗体使用(即不涉及Ajax)工作。
It works in IE9 when using it in a normal Form (i.e. no Ajax involved).
我在nginx / 1.1.2之后使用Django。
I am using Django behind nginx/1.1.2.
任何提示我在这里缺少什么? / p>
Any hints what I am missing here?
推荐答案
如果您的表单位于iframe中,则可能的原因是IE的第三方Cookie的默认策略。您可以
If your form is inside an iframe, the probable reason is IE's default policy of blocking third-party cookies. You could
- 不使用iframe,
- 将iframed页面放在与主页,
- 使用 @ csrf_exempt装饰器,或
- 使用HTTP标头告诉浏览器允许第三方Cookie(请参阅工作在 Chase Seibert对此的很好的解释问题)。
- not use an iframe,
- bring the iframed page under the same domain as the main page,
- disable CSRF for that particular form using the @csrf_exempt decorator, or
- use HTTP headers to tell the browser to allow third-party cookies (see work-around #3 in Chase Seibert's excellent explanation of this issue).
Django的票#17157 建议在文档中添加有关此问题的注释。
Django's ticket #17157 proposes to add a note about this issue in the documentation.
这篇关于CSRF验证失败,但仅适用于IE9的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!