Laravel project within iframe - CSRF token mismatch

Question

I have a project where I implemented Sanctum to be used as authentication for api calls. This is the way I use it

axios.get('/sanctum/csrf-cookie').then(response => {
   axios.post('/api/login', {data: data})
   .then(response => {
     ...
   })
   .catch(error => {
     ...
   });
});

When I run this as a standalone page, everything works fine. But once I try to use the same url with the same data in an iframe within another project, I get a CSRF token mismatch. error. Any guidance would be much appreciated.

Duplicate of https://stackoverflow.com/questions/33946295/laravel-5-1-csrf-in-iframe-how-to-make-it-work — Samuel Ferdary, Jan 05 '22 at 15:52
@SamuelFerdary yes, I saw that one but I'm concerned as to what security threats the provided solution opens? Also, it is not a submission between different domains, everything is happening on the same site/domain. — Matrix, Jan 06 '22 at 06:49

score 3 · Answer 1 · answered Jan 07 '22 at 06:15

iframe usage and security is use case dependent.

Security wise:

If you care about security, don't use iframes.

See:

StackExchange: What are the security implications of having login dialog inside of an iframe

Disable CSRF on specified endpoints:

If you have specific routes that don't need CSRF protection than you can make an exception for these routes in Http/Middleware/VerifyCsrfToken.php

See:

StackOverflow: Laravel 5 TokenMismatchException only in iFrame

Go all in on iframe support:

You can edit the session settings in config/session.php

See:

StackOverflow: Laravel 5.1 CSRF in iframe, how to make it work?

That page within iframe is not used for traditional user login. User actually logs in in the host application and then passes a token to the iframe by which user is identified on the application within iframe. I don't really want to disable csrf check. Playing around with session config might be a step to the right direction — Matrix, Jan 07 '22 at 07:45

score 0 · Answer 2 · answered Oct 11 '22 at 16:08

0

Go into config/session.php, and change this:

'secure' => env('SESSION_SECURE_COOKIE', true)

'same_site' => 'none',

Also, check your .env file for the value set for SESSION_SECURE_COOKIE, if it is set to false in the .env file then change it to true.

answered Oct 11 '22 at 16:08

WebDev-SysAdmin

269
4
12

Laravel project within iframe - CSRF token mismatch

2 Answers2

iframe usage and security is use case dependent.

Security wise:

Disable CSRF on specified endpoints:

Go all in on iframe support: