All geek questions in one place

HTTP 403 with django form submission only on IE9

I am working on a version of Django 1.4.2. I implemented this simple form example (inspired by djangobook):

# views.py from django.shortcuts import render from django.http import HttpResponseRedirect from django.core.mail import send_mail from mysite.contact.forms import ContactForm def contact(request): if request.method == 'POST': form = ContactForm(request.POST) if form.is_valid(): cd = form.cleaned_data send_mail( cd['subject'], cd['message'], cd.get('email', ' noreply@example.com '), [' siteowner@example.com '], ) return HttpResponseRedirect('/contact/thanks/') else: form = ContactForm() return render(request, 'contact_form.html', {'form': form}) # contact_form.html <html> <head> <title>Contact us</title> </head> <body> <h1>Contact us</h1> {% if form.errors %} <p style="color: red;"> Please correct the error{{ form.errors|pluralize }} below. </p> {% endif %} <form action="" method="post"> <table> {{ form.as_table }} {% csrf_token %} </table> <input type="submit" value="Submit"> </form> </body> </html> # forms.py from django import forms class ContactForm(forms.Form): subject = forms.CharField() email = forms.EmailField(required=False) message = forms.CharField()

Everything works fine for all the browsers I tried (chrome, maxthon, firefox), but in IE9 I got an HTTP 403 failure.

Any clue on what causes this?

EDIT: after more in-depth research, I found that the problem is because of this: when requesting an empty form, the navigator receives the csrf cookie, but for some unknown reason, it does not send this cookie when the form is submitted. This problem only occurs when the cookie comes from the nginx server at pythonanywhere.com, when I test my own apache server, the cookie is sent back.

Here are two headers captured from servers:

 HTTP/1.1 200 OK Server: nginx/1.2.5 Date: Wed, 21 Nov 2012 13:56:31 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Cookie Set-Cookie: csrftoken=1AJjzkbUgJdKAmkbiHicJ3or2Mfi6AbD; expires=Wed, 20-Nov-2013 13:56:31 GMT; Max-Age=31449600; Path=/ HTTP/1.1 200 OK Date: Wed, 21 Nov 2012 13:56:50 GMT Server: Apache/2.2.15 (CentOS) Vary: Cookie Set-Cookie: csrftoken=2iMZSH1s0vJnEt4tRRY7FciT1Q7orrVF; expires=Wed, 20-Nov-2013 13:56:50 GMT; Max-Age=31449600; Path=/ Keep-Alive: timeout=180, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8

The only significant difference is the Kee-Alive header from apache ...

Do you think this could come from there?

+4
source share
2 answers

{% csrf_token %} outputs the <input type="hidden" ...> , and perhaps IE9 ignores it because it is a direct child of the table, not inside the cell.

Try moving the {% csrf_token %} next to the <input type="submit" value="Submit"> = "Submit">

+2
source

In Django ticket # 17157, he stated that the problem is that Internet Explorer blocks third-party cookies by default. Thus, you can enable third-party cookies for all sites or only for your site in your browser settings. Here's how to do it in IE 7 (from this link ):

  • Click "Service"
  • Click "Internet Options"
  • Select the "Privacy" tab.

Option 1: enable third-party cookies for all sites

  • Click Advanced
  • Select "Override automatic cookie processing"
  • Select the "Accept" button in the "Third-party cookies" section and click "OK"

OR

Option 2: enable third-party cookies only for Feedjit.com

  • Click Sites
  • Add "your-domain.com" and click "Allow"
  • Click OK
  • Select the "Accept" button in the "Third-party cookies" section and click "OK"
0
source

Source: https://habr.com/ru/post/1447222/

More articles:


All Articles