js error on chrome only!

[MidoCobra]

Hi all, star ratings working well with Edge, Firefox & other android browsers, but with chrome i got this error in my console:

star-ratings.js:259 POST https://##########.com/details/null 404 (Not Found) (i dont know why null?! i m putting object after ratings and it is defined correctly in my views and urls and even readonly=true is working well for star ratings in the same template!)

star-ratings.js:265 POST https://########.com/ratings/28/1/ 403 (Forbidden) post @ star-ratings.js:265 rate @ star-ratings.js:68 ratingSubmit @ star-ratings.js:60 VM5445:2 Uncaught SyntaxError: Unexpected token < in JSON at position 1 at JSON.parse () at XMLHttpRequest.req.onreadystatechange (star-ratings.js:249)

i think it is something about csrf ! but actually i m not good at all with javascript to be able to handle this !

[MidoCobra]

i almost in my way to know the problem, it seems that t is because the McAfee® WebAdvisor extension in chrome or any extension! ... which blocks your rates .. cause it works only in incognito mode only in chrome! and i think that s because of csrf issues , cause it blocked also some ajax calls in my template and i solved it by adding csrf_excmpt decorator in my views! tried the same with your views but i think i missed the way .. now i m waiting for your solution .. and i ll keep working on it. thanks all

[MidoCobra]

now by clearing cookies browsing etc it works ! where is the bug!

[OmegaDroid]

Hi @MidoCobra, I would say you wouldn't want to disable csrf protection as a workaround. This sounds like its an error in the chrome extension, maybe its stripping some cookies from the request before its sent.

I wonder if storing the csrf token on the session will help https://docs.djangoproject.com/en/2.1/ref/csrf/#is-it-a-problem-that-django-s-csrf-protection-isn-t-linked-to-a-session-by-default

[antnieszka]

I still get 403's :(

SyntaxError: JSON.parse: unexpected character at line 2 column 1 of the JSON data
onreadystatechange http://127.0.0.1:8000/static/star-ratings/js/dist/star-ratings.js:249

and from backend:

Forbidden (CSRF token missing or incorrect.): /pl/ratings/14/24/
WARNING 2019-08-01 10:14:53,621 log 15004 9736 Forbidden (CSRF token missing or incorrect.): /pl/ratings/14/24/
[01/Aug/2019 10:14:53] "POST /pl/ratings/14/24/ HTTP/1.1" 403 2546

Switching CSRF_USE_SESSIONS = True on and off does not help :/

I don't have any extensions on these browsers (FF/chrome)

[antnieszka]

I think I got it - https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly If you set CSRF_COOKIE_HTTPONLY = True :

Whether to use HttpOnly flag on the CSRF cookie. If this is set to True, client-side JavaScript will not to be able to access the CSRF cookie.

Hence the 403's I get :/