CSRF cookie not set if visiting a media page directly
|Reported by:||Peter Kuma||Owned by:|
When visiting a media page via a direct link (i.e. without going through the main page), the CSRF cookie is not set for the root path of the domain. Consequently, when a user tries to submit a comment, it fails with 403 Forbidden:
403 Forbidden CSRF cookie not present. This is most likely the result of a cookie blocker or somesuch.<br/>Make sure to permit the settings of cookies for this domain
The reason for this is that the CSRF meddleware sets cookie path to
request.environ['SCRIPT_NAME'], and the cookie is not sent when accessing the comment add page.
The issue can be fixed by introducing a new setting
csrf_cookie_path, set by default to '/' and using it instead of
request.environ['SCRIPT_NAME']. Django does something similar.
Attached is a patch.