ios 10.3 breaks ajax set-cookie

My phonegap app communicates with django, so I use the method described in the following article to capture and send csrftoken:

https://docs.djangoproject.com/en/1.10/ref/csrf/

This has been working till iOS 10.3. In iOS 10.3, the ajax call gets all response headers except Set-Cookie. I tried adding xhrFields: {withCredentials: true} and crossDomain: true but it makes no difference.

Here is the request to get the csrftoken:

$.ajax({beforeSend: function(xhr) {xhr.withCredentials = true;},

        type: "GET",

        url: 'url',

        xhrFields: {withCredentials: true},

        crossDomain: true,

        success: function(data, textStatus, xhr) {

            // returns cookie in any iOS except the latest iOS 10.3

           document.cookie = xhr.getResponseHeader("Set-Cookie"); 

        },

});

The same code works fine in iOS 10.2 and we can save the csrftoken from "Set-Cookie" header for later use.

iOS 10.3 somehow prevents this "Set-Cookie" response header from appearing in the xhr object, thus we cannot get the csrftoken from server and any subsequent POST action will be forbidden.

Please advise, thank you!