Laravel 5 TokenMismatchException only in iFrame

Question

I have a working form:

    {!! Form::open() !!}
            

                Name
            


        
                      

              相关标签:
       
      

Answer 1

@Jeemusu 's answers provides a solution, though a few comments and another suggested solution after reading: https://discussions.apple.com/thread/4156939?tstart=0

• To me, this has nothing with preventing CSRF, other browsers are not preventing this, I would say that this is more related with preventing tracking.
• The page at Apple suggests the following: the problem only occures when the iframe domain has not been visited first (and this is what I have observed).
• One solution would be for the caller domain to set a cookie when a user arrives, redirect to the called domain to "count as a visit" and then redirect back to the called domain (that would read the first set cookies to not redirect again).

I would say that disabling CSRF protection is an unsecure idea.

Answer 2

Laravel 5 has a global middleware enabled called VeryifyCsrfToken that checks all POST requests for a token to apply Cross-site request forgery protection.

Cross-site request forgeries are a type of malicious exploit whereby unauthorized commands are performed on behalf of the authenticated user.

Allowing users to submit your form from an iframe on a different domain is exactly the kind of thing Laravels CSRF protection is trying to prevent.

There is a way to disable CSRF verification for certain URL's. You can add a new item to the $except array to exclude that url from CSRF verification.

Http/Middleware/VerifyCsrfToken.php

<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        'your/uri'
    ];
}