From 64bb72d4c20855df6ee808eca2695d3679d78897 Mon Sep 17 00:00:00 2001
From: Christian Bergmiller <christian.bergmiller@gildemeister.com>
Date: Tue, 10 Dec 2019 08:39:29 +0100
Subject: [PATCH] read csrftoken from DOM if no cookie is set

---
 graphene_django/static/graphene_django/graphiql.js | 5 ++++-
 graphene_django/templates/graphene/graphiql.html   | 1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/graphene_django/static/graphene_django/graphiql.js b/graphene_django/static/graphene_django/graphiql.js
index 2be7e3c..e38cd62 100644
--- a/graphene_django/static/graphene_django/graphiql.js
+++ b/graphene_django/static/graphene_django/graphiql.js
@@ -3,8 +3,11 @@
   // Parse the cookie value for a CSRF token
   var csrftoken;
   var cookies = ('; ' + document.cookie).split('; csrftoken=');
-  if (cookies.length == 2)
+  if (cookies.length == 2) {
     csrftoken = cookies.pop().split(';').shift();
+  } else {
+    csrftoken = document.querySelector("[name=csrfmiddlewaretoken]").value;
+  }
 
   // Collect the URL parameters
   var parameters = {};
diff --git a/graphene_django/templates/graphene/graphiql.html b/graphene_django/templates/graphene/graphiql.html
index d0fb5a8..a0d0e1a 100644
--- a/graphene_django/templates/graphene/graphiql.html
+++ b/graphene_django/templates/graphene/graphiql.html
@@ -31,6 +31,7 @@ add "&raw" to the end of the URL within a browser.
           crossorigin="anonymous"></script>
 </head>
 <body>
+  {% csrf_token %}
   <script src="{% static 'graphene_django/graphiql.js' %}"></script>
 </body>
 </html>