NodeBB in inframe throws invalid csrf token

prabez

I would like to ask for help in case of receiving "invalid csrf token" exception during user login when NodeBB is used from iframe.

I added headers in Settings -> Advanced -> Headers

Request for /login throws 403 Forbidden and in the logs I'm receiving /login invalid csrf token

Could you give me a hint what I could additionally check / in what place I could search possible problem? Just let me know if I could add more detailed information / logs. Thanks!

PitaJ

What headers did you add?

prabez

@pitaj In test environment I'm using two addresses:

http://192.168.1.15/forum - for forum
http://widget.internal - for page with iframe, hosts entry to http://192.168.1.15

Below headers settings:

PitaJ

Do you get the same error if you access it outside the iframe?

I think in many of those headers NodeBB will ignore it if you set it to *, rather than allowing anything.

prabez

@pitaj No, outside iframe everything is working.

Tested with and without *, also tried to write direct values / domains into fields. Each time the same result.

Also it looks that csrf token is sending in login request.

I suspect that problematic could be cookies, but can't find direct reason. That's why I'm asking for help.

NodeBB in inframe throws invalid csrf token

Suggested Topics

NodeBB v3.0.0 — it's here!

Hiring: NodeBB developer to customize themes

I need help customizing my NodeBB! Looking for a NodeBB dev who can help me.

Nodebb API get new users

Visual Studio Code and NodeBB