Hello,
I have a front-end using react that sends ajax requests to Django for user login from a separate domain. I have resolved CSRF-related issues in all browsers except Safari.
It seems that Django requires BOTH a header “X-CSRFToken: 71SHXg…” and the cookie “Cookie: csrftoken=71SHXg…” to be included in the request from the front end before accepting the login information.
I have manually put the header “X-CSRFToken: 71SHXg…” into the request, so that part works in all browsers. However I can’t seem to get Safari to include the cookie in the request.
The cookie has been saved in browser storage with Secure=True, and SameSite=None. I have a fetch request using credentials: ‘include’ and a second axios request using “withCredentials: true”. Chrome, Edge, and Firefox all put the csrf cookie in the request, but Safari does not, so Django gives me a Forbidden error in safari.
Has anyone else run into Safari-specific issues with getting cookies into cross-domain requests?
Alternately, is there any way to make Django less strict, and take either the header “X-CSRFToken: 71SHXg…” or the cookie? Why does it need both?
Thanks