0 Replies Latest reply on Apr 1, 2017 9:46 AM by yunyun27

    iOS 10.3 Set-Cookie header missing from ajax repsonse

    yunyun27 Level 1

      My phonegap app communicates with django, so I use the method described in the following article to capture and send csrftoken:

      https://docs.djangoproject.com/en/1.10/ref/csrf/

      This has been working till iOS 10.3. In iOS 10.3, the ajax call gets all response headers except Set-Cookie. I tried adding xhrFields: {withCredentials: true} and crossDomain: true but it makes no difference.

      Here is the request to get the csrftoken:

       $.ajax({beforeSend: function(xhr) {xhr.withCredentials = true;}, 
               type
      : "GET",
               url
      : 'url', // the django view has @ensure_csrf_cookie set    
               xhrFields
      : {withCredentials: true},
               crossDomain
      : true,
               success
      : function(data, textStatus, xhr) {
                   // returns null in iOS 10.3
                  var cookie
      = xhr.getResponseHeader("Set-Cookie");
               },
      }); 

      The same code works fine in iOS 10.2 and we can save the csrftoken from "Set-Cookie" header for later use.
      PhoneGap in iOS 10.3 somehow prevents this "Set-Cookie" response header from appearing in the xhr object, thus we cannot get the csrftoken from server and any subsequent POST action will be forbidden.

      Could it be that PhoneGap in iOS 10.3 forbids the Set-Cookie header from server?  Any workaround idea would be greatly appreciated.  Right now our app can't POST to django server at all because it cannot retrieve the csrftoken from response header.