I have website www.example.com
which loads iframe from www.another.com
. The page being loaded contains a HTML and JS which triggers an AJAX call to self (www.another.com
). Both of these sites are behind HTTPS.
The iframe loads perfectly fine, the script is executing, BUT, when I click submit (which is part of iframe), I get that www.another.com
rejected my request due to invalid CSRF token. The form within iframe does contain a token
field, which has a value (some hash).
The ajax call works fine when I go directly to www.another.com
.
From what I can grasp so far when ajax call arrives at the server it does not have session started, so it fails to find a token to match.
I use Symfony 4.4
with NelmioCorsBundle
to ensure proper CORS. The config looks like this:
nelmio_cors: defaults: allow_credentials: false origin_regex: false allow_origin: ['https://www.example.com','https://www.another.com'] allow_methods: ['GET', 'OPTIONS', 'POST'] allow_headers: ['Origin','Referer'] expose_headers: [] max_age: 3600
Failing ajax request has a following headers:
Is there any way to work around this?
Advertisement
Answer
Found a solution.
The domain www.another.com
was sending Cookie
header with SameSite=lax
. That means that those cookies are not to be included unless top-level navigation is initiated. In the case of iframe
AJAX call, that just won’t cut it.
A workaround for this is to disable SameSite
in framework.yml
.
session: cookie_samesite: null <--- THIS
I am well aware of potential security ramifications, but:
- the AJAX
POST
endpoint is protected by CSRF token, - Both of these sites are HTTPS
… so I guess I am going to be fine. Am I?
I am really looking forward to hearing if there is a more serious problem than the one I outlined above 🙂
Another matter I wanted to point out is how my CORS configuration was not really irrelevant. All of my requests are “simple” ones, and thus do not trigger preflight requests.