Why is Safari causing a Rails CSRF exception where Chrome isn't?

Question

I want to create sessions in my Rails 4 application via an AJAX request in an iframe.

In the iframe I've included a form for a new session with the attribute remote: true as usual, and included <%= token_tag %> in the form body as well as <%= csrf_meta_tags %> in the head of the layout.

Chrome has no problem posting this form and creating a session. Under identical conditions Safari causes a CSRF exception.

Why does this happen, and what can I do to stop it? As I understand it, this is not a situation where CSRF is essential, as there is no session to hijack, but I'm still wary of turning it off.

Chrome version: 31.0.1650.63

Safari version: 7.0.1

score 3 · Accepted Answer · edited May 23 '17 at 12:24

3

It seems this is the famous 'third party cookies' problem. Safari disables them by default.

More: How do Third-Party "tracking cookies" work?

edited May 23 '17 at 12:24

Community

1
1

answered Jan 10 '14 at 09:20

djb

5,591
5
41
47

Thanks for the information. I still do not understand what is the solution. – guyaloni Jul 14 '15 at 17:41
@guyaloni, you either have to work without cookies, or bring the user to your website and set a cookie there – djb Jul 14 '15 at 21:52
Not really.. http://stackoverflow.com/questions/31429589/rail-ajax-and-iframe-in-safari :-( – guyaloni Jul 15 '15 at 11:51

Why is Safari causing a Rails CSRF exception where Chrome isn't?

1 Answers1

Linked