4

I have a problem with CSRF validation failing on iframes in IE.

I've learned I can fix it if I have access to the parent page's server by adding certain headers, using information from this question. Unfortunately, I don't have access to the parent page (third party host platform), so this won't work.

The page in question is: http://yuchan.myshopify.com/collections/iphone-4-artist-series/products/custom-product

To replicate the problem, click on "Upload your art" (step 2) and try to upload something in IE. You should get a CSRF error.

I am going to disable CSRF protection, but I was curious what others thought of my situation.

Thanks!

Community
  • 1
  • 1
Yuji 'Tomita' Tomita
  • 115,817
  • 29
  • 282
  • 245

1 Answers1

7

The problem occurs because IE don't accept cookies in iframes by default. You can fix that by setting proper headers:

response = render_to_response('mytemplate.html')
response["P3P"] = 'CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"'

You have some blog entry about that here: http://adamyoung.net/IE-Blocking-iFrame-Cookies .

Tomasz Wysocki
  • 11,170
  • 6
  • 47
  • 62