Reputation: 151
Antiforgery Token Cookie Not Appearing in Request Headers Only in when Embeded in Iframe
I'm trying to embed a simple web app that will POST user input that is running asp.net Core 2.0 into an iframe. The problem I am having is that while embedded, the request headers that are being generated lack the cookie header that contains the .AspNetCore.Antiforgery.[token]. It is being generated as expected outside of the iframe.
This is causing a 400 error because the post is unable to validate the token.
Request Headers generated outside of iframe: Request Headers: NO IFRAME
Request Headers generated inside of iframe: Request Headers: INSIDE IFRAME
Has anyone had this issue with the antiforgery token library?
Thanks!!
Upvotes: 5
Views: 4296
Answers (2)
Reputation: 5326
The answer from Flyingmartini didn't worked for me, I needed to set these properties as well:
services.AddAntiforgery(options =>
{
options.SuppressXFrameOptionsHeader = true;
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
});
Upvotes: 2
Reputation: 151
Turns out the SameSite property on the cookie class for the antiforgery options needs to be set to None for this to work:
services.AddAntiforgery(options =>
{
options.Cookie.SameSite = SameSiteMode.None;
});
Upvotes: 10
Related Questions
- Cookie not being set in iframe
- Anti Forgery Token race condition
- Unable to validate Antiforgery token when cookie is set to httponly
- Antiforgery token issue in Internet Explorer
- ASP.Net core antiforgery denying form submission from Iframe
- Antiforgery token not set in the cookie when deployed in azure
- Enable Antiforgery Token with ASP.NET Core and JQuery
- Iframe wont respect login cookies
- Getting Html.AntiForgeryToken throws error "Server cannot modify cookies after HTTP headers have been sent"
- RequestVerificationToken cookie not present in Response