问题
I'm trying to embed a simple web app that will POST user input that is running asp.net Core 2.0 into an iframe. The problem I am having is that while embedded, the request headers that are being generated lack the cookie header that contains the .AspNetCore.Antiforgery.[token]. It is being generated as expected outside of the iframe.
This is causing a 400 error because the post is unable to validate the token.
Request Headers generated outside of iframe: Request Headers: NO IFRAME
Request Headers generated inside of iframe: Request Headers: INSIDE IFRAME
Has anyone had this issue with the antiforgery token library?
Thanks!!
回答1:
Turns out the SameSite property on the cookie class for the antiforgery options needs to be set to None for this to work:
services.AddAntiforgery(options =>
{
options.Cookie.SameSite = SameSiteMode.None;
});
来源:https://stackoverflow.com/questions/52669145/antiforgery-token-cookie-not-appearing-in-request-headers-only-in-when-embeded-i