Reputation: 6021
Why is Safari causing a Rails CSRF exception where Chrome isn't?
I want to create sessions in my Rails 4 application via an AJAX request in an iframe.
In the iframe I've included a form for a new session with the attribute remote: true as usual, and included <%= token_tag %> in the form body as well as <%= csrf_meta_tags %> in the head of the layout.
Chrome has no problem posting this form and creating a session. Under identical conditions Safari causes a CSRF exception.
Why does this happen, and what can I do to stop it? As I understand it, this is not a situation where CSRF is essential, as there is no session to hijack, but I'm still wary of turning it off.
Chrome version: 31.0.1650.63
Safari version: 7.0.1
Upvotes: 6
Views: 2905
Answers (1)
Reputation: 6021
It seems this is the famous 'third party cookies' problem. Safari disables them by default.
More: How do Third-Party "tracking cookies" work?
Upvotes: 3
Related Questions
- Rail, ajax and iframe in Safari
- Rails app can't verify CSRF token on chrome only
- Rails Can't verify CSRF token authenticity ajax with X-CSRF-TOKEN header
- WARNING: Can't verify CSRF token authenticity
- Can't verify CSRF token authenticity on rails for cross platform request
- Submitting form through iframe: Rails 4 InvalidAuthenticityToken in Chrome, Safari
- Iframe causes Can't Verify CSRF Token Authenticity n Rails
- Rails Ajax Can't verify CSRF token Authenticity
- Rails 4 Can't verify CSRF token authenticity
- Rails csrf protection fails sometimes