Reputation: 39468
Submitting form through iframe: Rails 4 InvalidAuthenticityToken in Chrome, Safari
I have a form on a page which other people can embed through an iframe on their sites. When submitting that form I get an ActionController::InvalidAuthenticityToken error, in Safari and also Chrome (with third-party cookies turned off) but not in Firefox.
My understanding was that I don't have to rely on third-party cookies being activated if I've got this in my header:
<head>
<%= csrf_meta_tags %>
</head>
But apparently that's not true...?
And I'm even seeing the token in my server log:
Parameters: {"utf8"=>"✓", "authenticity_token"=> "2ig3BPn9...
Can't verify CSRF token authenticity
So what's going on here?
Upvotes: 1
Views: 1963
Answers (2)
Reputation: 1
into form insert:
<input type="hidden" name="authenticity_token" value="<%= form_authenticity_token %>"/>
Ex:
<form name="as" target="open_here" method="get" action="material">
<input type="hidden" name="materialid" value="56"/>
<input type="hidden" name="authenticity_token" value="<%= form_authenticity_token %>"/>
<input type="submit" value="Submit open_here" />
</form>
or
<form name="unit" target="open_here" method="get" action="/redmine/issues_materials/material" >
<input type="hidden" id="material_id" name="materialid" value="" /><!-- valo value e inputado pelo script 2 document.getElementById('material_id').value = materialid; -->
<input type="hidden" name="authenticity_token" value="<%= form_authenticity_token %>"/> <!-- para funcionar tem que enviar essa chave junto-->
<input id="idunit" type="submit" value="open here submit" style="display: none;"/>
</form>
<iframe id="open_here" name="open_here" frameborder="0" scrolling="no" width="60" height="80"></iframe>
Upvotes: 0
Reputation: 39468
From the ActionController::RequestForgeryProtection docs:
Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks by including a token in the rendered HTML for your application. This token is stored as a random string in the session, to which an attacker does not have access. When a request reaches your application, Rails verifies the received token with the token in the session.
So even if you embed the token with csrf_meta_tags you still need it also in the session (i.e. in the cookie). That's why with disabled third-party cookies it doesn't work in the iframe.
Upvotes: 1
Related Questions
- Rail, ajax and iframe in Safari
- Sessions of Rails app loaded in iFrame no working
- Ruby on rails 4 app does not work in iframe
- ActionController::InvalidAuthenticityToken When Submitting
- Iframe causes Can't Verify CSRF Token Authenticity n Rails
- Cross-domain iframe causes troubles with cookies (Rails)
- rails 4 with iframe not working in rails 4?
- Rails 4 InvalidAuthenticityToken
- Why is Safari causing a Rails CSRF exception where Chrome isn't?
- Passing form params through iframe with javascript safe?