Laravel 5.1 CSRF in iframe, how to make it work?

Question

I have a plugin for my app that users can implement in their website that contains a form. The problem is that I get TokenMismatchExceptionwhen the form is submitted. From all research I've done I can see is a protection for cross-origin from Laravel.

I know I can disable it, but I don't know how I will protect the form after that?

Have any of you came across this issue? What is the best practice?

Thank you

Note: I've noticed that if the user has previously visited the original website and then goes to the website where the iframe is included, the Exception is not throwing anymore.

score 8 · Answer 1 · answered Sep 16 '20 at 05:27

8

you need to change the same_site value in config/session.php .

like this

'same_site' => 'none',
'secure' => env('SESSION_SECURE_COOKIE'),

and set SESSION_SECURE_COOKIE=true in the .env file.

more info check this youtube video

answered Sep 16 '20 at 05:27

Mohamed SLimani

351
2
9

1

Tried many solutions but this one worked at last :) – armin Sep 02 '21 at 18:03

Alex · Accepted Answer · 2015-12-07T02:22:36.870

2

Laravel doesn't allow forms to be submitted from other domains, but you can set an exception.

You can add the exception in App/Http/Middleware/VerifyCsrfToken.php.

protected $except = [
    'post/something'
];

Source: EasyLaravel

edited Dec 07 '15 at 02:22

answered Nov 26 '15 at 22:50

Alex

4,674
5
38
59

I just answered to @Houssain Amrani that I've included it already – lesandru Nov 26 '15 at 22:52
Are you sure the CSRF field gets rendered? Does the data gets sent to your server correctly? You can check that in FireBug or Chrome's Debug tool. – Alex Nov 26 '15 at 22:55
yeah man. The CSRF gets rendered, everything works fine in Firefox and Chrome, but in Safari I get the TokenMismatchException – lesandru Nov 26 '15 at 22:56
check my note in question, that's something weird, if I visit the original website the iframe works fine after. I'm thinking it might be related to cookies – lesandru Nov 26 '15 at 22:57
I might have an idea. Add the URL the iframe gets submitted to the `$except` array in `Middleware/VerifyCsrfToken.php`. – Alex Nov 26 '15 at 23:02
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/96298/discussion-between-lesandru-and-alex). – lesandru Nov 26 '15 at 23:04

score 0 · Answer 3 · answered Nov 26 '15 at 20:41

0

if I understood the problem. probably the submit form must have a token input that contains token session.

<form mothod = 'post' action = 'YourAction'>

<input type = 'hidden' name = '_token' value = '{{Session:token()}}'>
.
.
.
</form>

answered Nov 26 '15 at 20:41

Houssain Amrani

329
2
6

it has the token attached – lesandru Nov 26 '15 at 20:49

score 0 · Answer 4 · answered Nov 27 '15 at 11:20

0

You can disable CSRF token check for the specific URL by adding the URL in app/Http/Middleware/VerifyCsrfToken.php file in except array

answered Nov 27 '15 at 11:20

Akshay Khale

8,151
8
50
58

Laravel 5.1 CSRF in iframe, how to make it work?

4 Answers4

Linked