My phonegap app communicates with django, so I use the method described in the following article to capture and send csrftoken:
This has been working till iOS 10.3. In iOS 10.3, the ajax call gets all response headers except Set-Cookie. I tried adding xhrFields: {withCredentials: true} and crossDomain: true but it makes no difference.
Here is the request to get the csrftoken:
$.ajax({beforeSend: function(xhr) {xhr.withCredentials = true;},
type: "GET",
url: 'url',
xhrFields: {withCredentials: true},
crossDomain: true,
success: function(data, textStatus, xhr) {
// returns cookie in any iOS except the latest iOS 10.3
document.cookie = xhr.getResponseHeader("Set-Cookie");
},
});
The same code works fine in iOS 10.2 and we can save the csrftoken from "Set-Cookie" header for later use.
iOS 10.3 somehow prevents this "Set-Cookie" response header from appearing in the xhr object, thus we cannot get the csrftoken from server and any subsequent POST action will be forbidden.
Please advise, thank you!