I believe you are correct.
That doesn’t mean there aren’t possible work-arounds. I can think of two right off-hand.
- URL-encode the contents of the searchbox, and submit it as a GET instead of a POST
- If the view invoked by the searchbox is truly safe, mark that view as csrf_exempt