id	summary	reporter	owner	description	type	status	priority	milestone	component	resolution	keywords	cc	parents
1006	CSRF cookie not set if visiting a media page directly	Peter Kuma		"When visiting a media page via a direct link (i.e. without going through the main page), the CSRF cookie is not set for the root path of the domain. Consequently, when a user tries to submit a comment, it fails with 403 Forbidden:

{{{
403 Forbidden

CSRF cookie not present. This is most likely the result of a cookie blocker or somesuch.<br/>Make sure to permit the settings of cookies for this domain
}}}

The reason for this is that the CSRF meddleware sets cookie path to {{{request.environ['SCRIPT_NAME']}}}, and the cookie is not sent when accessing the comment add page.

The issue can be fixed by introducing a new setting {{{csrf_cookie_path}}}, set by default to '/' and using it instead of {{{request.environ['SCRIPT_NAME']}}}. Django does [https://docs.djangoproject.com/en/1.7/ref/settings/#csrf-cookie-path something similar].

Attached is a patch.
"	defect	new	major		programming