Django CSRF protection sets a cookie with a token in response and compares it with the token that is sent through the form. My Facebook Tab app shows that the csrf cookie is never set in Safari. I know this is due to the third-party Safari cookie policy.
So, how can others who write Facebook Tab or Canvas applications set cookies in their application if the user has never visited their domain (which Safari will then allow the setting of the cookie)?
source share