When I try to post a form request using window.open script, it will cause csrf token mismatch exception in Safari on Laravel 7.X. I've tested Chrome and Firefox and they're just fine. Safari also works perfectly with same code on Laravel 6.18.16.
Environments
- Laravel Version: 7.13.0
- PHP Version: 7.2.31
- Database Driver & Version: n/a
- macOS: 10.15.5
- Safari: 13.1.1
- Chrome: 83.0.4103.61
- Firefox: 76.0.1
Steps To Reproduce:
- Install a fresh laravel app
composer create-project --prefer-dist laravel/laravel popup7
- web.php
Route::get('/', function () {
return view('welcome');
});
Route::post('/blank', function () {
return 'blank page';
});
- welcome.blade.php
<!DOCTYPE html>
<html lang="{{ str_replace('_', '-', app()->getLocale()) }}">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Laravel</title>
<script>
function openPopup(target) {
window.open("", target + "_popup", "width=430,height=640,scrollbar=yes");
let form = document.getElementById(target);
form.target = target + "_popup";
form.submit();
}
</script>
</head>
<body>
<form id="mobile" name="mobile" action="/blank" method="POST">
@csrf
<button onclick="openPopup('mobile');">
open
</button>
</form>
</body>
</html>
- click 'open' button
Additional Information
There is no proper cookie header for /blank request on Laravel 7.X
request/response header for /blank in Safari on Laravel 7.X
- request
- response
request/response header for /blank in Safari on Laravel 6.18.16
- request
- response
