Ok, so as you can see I have a Django app going on using csrf. It all works perfectly but, now I want my app to be shown in a iframe (Facebook canvas).
While in my main domain it works, in the Facebook canvas I keep getting this error:
Forbidden (403)
CSRF verification failed. Request aborted.
Reason given for failure:
CSRF token missing or incorrect.
I know I'm missing something, but right now I don't know what is it.
Code:
In settings.py I have this correctly:
FACEBOOK_APP_ID = '***************'
FACEBOOK_API_SECRET = '********************************'
FACEBOOK_EXTENDED_PERMISSIONS = ['email','publish_actions']
I'm using Heroku and in my heroku confing in the heroku toolbelt I have FACEBOOK_APP_ID and FACEBOOK_SECRET also correctly set.
More info:
A friend, really long time ago (nearly two years ago) already had set a Facebook login and a Facebook register working in the app.
I hope this will help you: https://github.com/jjanssen/django-fb-iframe
Django and Facebook do not get along. When embedding a microsite into Facebook it will call an iframe with a POST request. Of course your Django project will return a CSRF verification failed.
This little Django app will prevent that specific error by converting a POST request with the key signed_request to a GET request. Of course this is just plain ugly, but Facebook should not mess with our application.