Laravel TokenMismatchExpection when posting from inside an iframe

Question

I have a page running on http://some.example.com/myiframes/default.aspx. This page have an iframe. The iframe source/contains a Laravel 5.2 base application.

My Laravel page URL "which is the source of the iframe" is https://laravel.example.com.

https://laravel.example.com has a form with a submit button. When a use clicks it, he/she hits another route on the same domain i.e. https://laravel.example.com/disply/survey

But every time, I submit the form I get the following exception

TokenMismatchException in VerifyCsrfToken.php line 67:

To make sure I am clear, on the page http://some.example.com/myiframes/default.aspx my code looks something like this

on my laravel App which is located on https://laravel.example.com here is my form

    <form method="POST" action="https://laravel.example.com/disply/survey" accept-charset="UTF-8" class="form">
<input name="_token" type="hidden" value="Dk6SN4WzO4brbvdnBO6JZ7e1lBGjmYz8GQJ1lYFo">
<input name="survey_id" type="hidden" value="10">
<input name="call_id" type="hidden" value="667">
<input name="pools" type="hidden">

<input name="alt_id_1" type="hidden" value="250">
<input name="alt_id_2" type="hidden" value="5">
<input name="alt_id_3" type="hidden">
<input name="alt_id_4" type="hidden">
<input name="alt_id_5" type="hidden">
<input name="alt_id_6" type="hidden">
<input name="alt_id_7" type="hidden">
<input name="alt_id_8" type="hidden">
<input name="alt_id_9" type="hidden">
<input name="alt_id_10" type="hidden">


<input name="alt_string_1" type="hidden">
<input name="alt_string_2" type="hidden">
<input name="alt_string_3" type="hidden">
<input name="alt_string_4" type="hidden">
<input name="alt_string_5" type="hidden">
<input name="alt_string_6" type="hidden">
<input name="alt_string_7" type="hidden">
<input name="alt_string_8" type="hidden">
<input name="alt_string_9" type="hidden">
<input name="alt_string_10" type="hidden">

<div class="text-center"> 
    <input class="btn btn-primary" type="submit" value="Start Survey">
</div>

</form>

The form works perfectly outside of the iframe. The problem only happens when I am inside the iframe.

I opened the VerifyCsrfToken class located in App\Http\Middleware and added http://some.example.com into the $except array which did not fix the problem.

protected $except = [
    'http://some.example.com'
];

What could be causing this issue? How can I correct the problem?

Edited, Here is my template

{!! Form::open([
                'url' => route('my.surveys.display'),
                'class' => 'form',
                'method' => 'post'
                ]) !!}
{!! Form::hidden('survey_id', $survey_id) !!}
{!! Form::hidden('call_id', $call_id) !!}
{!! Form::hidden('pools', $pools) !!}
{!! Form::hidden('call_type', $type) !!}


{!! Form::hidden('alt_id_1', $alt_id_1) !!}
{!! Form::hidden('alt_id_2', $alt_id_2) !!}
{!! Form::hidden('alt_id_3', $alt_id_3) !!}
{!! Form::hidden('alt_id_4', $alt_id_4) !!}
{!! Form::hidden('alt_id_5', $alt_id_5) !!}
{!! Form::hidden('alt_id_6', $alt_id_6) !!}
{!! Form::hidden('alt_id_7', $alt_id_7) !!}
{!! Form::hidden('alt_id_8', $alt_id_8) !!}
{!! Form::hidden('alt_id_9', $alt_id_9) !!}
{!! Form::hidden('alt_id_10', $alt_id_10) !!}


{!! Form::hidden('alt_string_1', $alt_string_1) !!}
{!! Form::hidden('alt_string_2', $alt_string_2) !!}
{!! Form::hidden('alt_string_3', $alt_string_3) !!}
{!! Form::hidden('alt_string_4', $alt_string_4) !!}
{!! Form::hidden('alt_string_5', $alt_string_5) !!}
{!! Form::hidden('alt_string_6', $alt_string_6) !!}
{!! Form::hidden('alt_string_7', $alt_string_7) !!}
{!! Form::hidden('alt_string_8', $alt_string_8) !!}
{!! Form::hidden('alt_string_9', $alt_string_9) !!}
{!! Form::hidden('alt_string_10', $alt_string_10) !!}

<div class="text-center"> 
    {!! Form::submit('Start Survey', ['class' => 'btn btn-primary', 'id' => 'start_survey']) !!}
</div>

Can you dump both request inside and outside the iframe and see what is not matching. — Hanlin Wang, Jan 08 '16 at 02:29
Really? Because I don't see it anywhere in your code. Post the actual contents of your template, not just the HTML output. — maiorano84, Jan 08 '16 at 02:31
@maiorano84 I will post the template tomorrow as I left office for the day. I am using the Form facade to do this so it is automatic — Junior, Jan 08 '16 at 02:50
@MONTS_MIND_Hacker no.l standard post request by clicking a submit button like the form show — Junior, Jan 08 '16 at 03:38
But Iframe is loaded into another website ? or on the same domain ? — MONTS_MIND_Hacker, Jan 08 '16 at 03:39
@MONTS_MIND_Hacker correct, that iframe is on another domain. — Junior, Jan 08 '16 at 15:51
@wanghanlin can you please help me on how to dump the request outside the frame? — Junior, Jan 08 '16 at 17:27
You posted your view code, you said that you're using `{{ csrf_field() }}`, but I don't see `{{ csrf_field() }}` anywhere in the view code you just posted. If you don't have it in there, then that's why it's breaking. — maiorano84, Jan 08 '16 at 20:36
@maiorano84 actually if you use the Form package, the `Form::open` will automaticly add the csrf_field for you. You can look at the docs here https://laravelcollective.com/docs/5.2/html#csrf-protection — Junior, Jan 08 '16 at 20:41

score 3 · Accepted Answer · edited May 23 '17 at 11:46

Given the details that you provide in the original question, it seems that Laravel is behaving exactly as it should when refusing to allow you to submit the form.

The user-agent is browsing to http://some.example.com and POSTing the form to https://laravel.example.com, via an iframe. If I'm not mistaken, this is precisely the behavior that CSRF tokens are designed to prevent.

This question may even be a duplicate of Laravel 5 TokenMismatchException only in iFrame . I concur with the accepted answer there.

If this is an internal site and you're willing to accept the associated risks, you may add an exception for the route to which you are POSTing, as described in the above-cited answer.

score 0 · Answer 2 · answered Jan 08 '16 at 03:38

Follow this Steps

https://laravel.com/docs/master/routing#csrf-x-csrf-token

X-CSRF-TOKEN

In addition to checking for the CSRF token as a POST parameter, the Laravel VerifyCsrfToken middleware will also check for the X-CSRF-TOKEN request header. You could, for example, store the token in a "meta" tag:

Once you have created the meta tag, you can instruct a library like jQuery to add the token to all request headers. This provides simple, convenient CSRF protection for your AJAX based applications:

$.ajaxSetup({ headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') } });

X-XSRF-TOKEN

Laravel also stores the CSRF token in a XSRF-TOKEN cookie. You can use the cookie value to set the X-XSRF-TOKEN request header. Some JavaScript frameworks, like Angular, do this automatically for you. It is unlikely that you will need to use this value manually.

I am not using any Ajax/JS requests. I am submitting a simple form. The form works with no issue when it is not in a iframe. The problem happens when I put it in an iframe on a different domain. Keep in mind the the form and the form request handler are both on laravel application — Junior, Jan 08 '16 at 04:06
@MikeA , I have gone through detailed doc From Here. http://pipwerks.com/2008/11/30/iframes-and-cross-domain-security-part-2/ and so , you have to pass that token value through AJAX manually. So , it will verify this token. — MONTS_MIND_Hacker, Jan 13 '16 at 07:21

Laravel TokenMismatchExpection when posting from inside an iframe

2 Answers2