I am trying to make an AJAX call to a Django function, but have started getting a CSRF Verification failed error in iOS 8. It works with the latest iOS and used to work with iOS 8.
This may be related to the recent updates to TLS. My host recently deprecated TLS 1.0 and TLS_RSA_WITH_3DES_EDE_CBC_SHA.
I add the CSRF token as a post parameter. If I make the function (server-side) @csrf_exempt then the call works, but I obviously don't want to take away the security.
I have only tested this in Safari. I'm using Django 1.5.2.
HTML:
# this creates an input with the CSRF token as its value
<div id = "csrf_token" class = "hidden">{% csrf_token %}</div>
Javascript:
csrfmiddlewaretoken = $('#csrf_token input').val();
$.ajax({
type: "POST",
url: "<my_url>",
data: {"csrfmiddlewaretoken":csrfmiddlewaretoken},
success: function(data){
alert("ok");
}
,error: function(xhr, status, error) {
alert("error " + xhr.responseText);
}
});
Is there any solution to this or must I stop supporting iOS 8? I still have some users who use it.
The problem turned out to be that referer wasn't being passed in iOS 8, which causes a CSRF fail. Referer wasn't being passed because the page was using the referrer meta tag.
<meta name="referrer" content="always">
<meta name="referrer" content="unsafe-url">
This doesn't work in iOS 8.