ASP.Net core antiforgery denying form submission from Iframe

Question

I have an asp.net core application. One of the forms of the application is embedded inside a iframe in a differnt application, running on a different. In my configuration I have supressed the same origin X-Frame header so I can submit the form the iframe.

services.AddAntiforgery(options =>
            {
                options.SuppressXFrameOptionsHeader = true;
            });

However when I submit the form via the iframe I get a bad request error, although I can see that the CSRF token is sent properly. If I remove the

[ValidateAntiForgeryToken]

attribute from the controller action I can submit the form via the iframe. What am I doing wrong?

Answer 1

I found an answer to this

https://stackoverflow.com/a/52709829/9931213

You need to add

options.Cookie.SameSite = SameSiteMode.None;

to your AddAntiforgery options.

Answer 2

I believe you're confusing CSRF attack prevention (using ValidateAntiForgeryToken attribute) with clickjacking attack prevention (using X-Frame-Options HTTP header).

Please read those articles first and try to understand what they are and how they work. And most importantly, what risks are you taking when disabling these protections. Most of the times people are just too eager to see their web app up and running, so they disable most of protections like these, but later on they fail to get back to these issues and fix them properly, which usually ends up with that web app being vulnerable to these basic attacks, data being stolen, leaked, abused, etc.

It can be frustrating to slow down the development in order to first read the stuff and try to understand it before the continuation of the development, but, it usually pays off every time and you always learn something new in the process, becoming a better developer.