问题
I want to create sessions in my Rails 4 application via an AJAX request in an iframe.
In the iframe I've included a form for a new session with the attribute remote: true as usual, and included <%= token_tag %> in the form body as well as <%= csrf_meta_tags %> in the head of the layout.
Chrome has no problem posting this form and creating a session. Under identical conditions Safari causes a CSRF exception.
Why does this happen, and what can I do to stop it? As I understand it, this is not a situation where CSRF is essential, as there is no session to hijack, but I'm still wary of turning it off.
Chrome version: 31.0.1650.63
Safari version: 7.0.1
回答1:
It seems this is the famous 'third party cookies' problem. Safari disables them by default.
More: How do Third-Party "tracking cookies" work?
来源:https://stackoverflow.com/questions/21033364/why-is-safari-causing-a-rails-csrf-exception-where-chrome-isnt