I am trying to open a certain page of a Shopware 5 website which has a form - as an iframe in a different website(not shopware based). I have noticed that the value of the csrf token is empty. What needs to be changed so that the token would be assigned?
Why CSRF token value of a form in Shopware 5 is not present when the website is opened in an iframe?
Asked
Active
Viewed 320 times
1 Answers
1
I think this is due to browser's restrictions on cookies in iframes, because cookies are needed for the CSRF token.
Alex
- 32,506
- 16
- 106
- 171
-
And I would say that you are right, I’ve checked the CSRF plugin and indeed it wants to add a cookie and if it fails then it’s not enabled. – David Jun 13 '21 at 06:03
-
Would there be any bypass? – David Jun 13 '21 at 06:04
-
I think it depends on the browsers. See also https://stackoverflow.com/questions/2117248/setting-cookie-in-iframe-different-domain - I think for Safari it does not work at all nowadays. It is generally possible to append the session id to the URLs, but this would probably require modification of Shopware 5. We did this for Laravel before: https://github.com/iMi-digital/laravel-transsid - maybe the PHP Option `session.use_trans_sid` works for Shopware 5 (for Laravel it doesn't). And this has security implications, as URL based sessions are easier to steal than cookies. – Alex Jun 13 '21 at 13:00