NodeBB in inframe throws invalid csrf token
-
I would like to ask for help in case of receiving "invalid csrf token" exception during user login when NodeBB is used from iframe.
I added headers in Settings -> Advanced -> Headers
Request for
/loginthrows403 Forbiddenand in the logs I'm receiving/login invalid csrf tokenCould you give me a hint what I could additionally check / in what place I could search possible problem? Just let me know if I could add more detailed information / logs. Thanks!
-
What headers did you add?
-
@pitaj In test environment I'm using two addresses:
- http://192.168.1.15/forum - for forum
- http://widget.internal - for page with iframe, hosts entry to http://192.168.1.15
Below headers settings:
-
Do you get the same error if you access it outside the iframe?
I think in many of those headers NodeBB will ignore it if you set it to
*, rather than allowing anything. -
@pitaj No, outside iframe everything is working.
Tested with and without
*, also tried to write direct values / domains into fields. Each time the same result.Also it looks that csrf token is sending in login request.
I suspect that problematic could be cookies, but can't find direct reason. That's why I'm asking for help.
-
were you actually able to solve that? Running into a very related problem here (Nodebb running in an iframe, authenticated through session-sharing plugin. Users are logged in but any interaction results in an 403 / invalid csrf token... I'm running the board on a different domain than the embedding page.
-
B baris moved this topic from NodeBB Development on
