Hi
I have a small one input box form that works perfectly but I had someone iframe it so they could use it as a tool on their site, and if its accessed over the iframe i get a token mishmatch exception. I dont get this exception if I just access the url directly what can I have done wrong?
The token is prevent cross site request forgery and that's what you are doing when you use an iFrame! The token prevents random websites from submitting a form to your site. So a form using Laravel and a token is not going to work in an iFrame!
how can i disable it for that controller?
You can't disable it for a controller and it's really bad practise to do so! Now what you can do, although it's bad practise is this:
Open up the app/Http/Kernel.php file it now looks like this:
<?php namespace App\Http;
use Illuminate\Foundation\Http\Kernel as HttpKernel;
class Kernel extends HttpKernel {
/**
* The application's global HTTP middleware stack.
*
* @var array
*/
protected $middleware = [
'Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode',
'Illuminate\Cookie\Middleware\EncryptCookies',
'Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse',
'Illuminate\Session\Middleware\StartSession',
'Illuminate\View\Middleware\ShareErrorsFromSession',
'App\Http\Middleware\VerifyCsrfToken'
];
/**
* The application's route middleware.
*
* @var array
*/
protected $routeMiddleware = [
'auth' => 'App\Http\Middleware\Authenticate',
'auth.basic' => 'Illuminate\Auth\Middleware\AuthenticateWithBasicAuth',
'guest' => 'App\Http\Middleware\RedirectIfAuthenticated',
];
}
Now you need to update it to this
<?php namespace App\Http;
use Illuminate\Foundation\Http\Kernel as HttpKernel;
class Kernel extends HttpKernel {
/**
* The application's global HTTP middleware stack.
*
* @var array
*/
protected $middleware = [
'Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode',
'Illuminate\Cookie\Middleware\EncryptCookies',
'Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse',
'Illuminate\Session\Middleware\StartSession',
'Illuminate\View\Middleware\ShareErrorsFromSession',
];
/**
* The application's route middleware.
*
* @var array
*/
protected $routeMiddleware = [
'auth' => 'App\Http\Middleware\Authenticate',
'auth.basic' => 'Illuminate\Auth\Middleware\AuthenticateWithBasicAuth',
'guest' => 'App\Http\Middleware\RedirectIfAuthenticated',
'csrf' => 'App\Http\Middleware\VerifyCsrfToken'
];
}
As you can see we removed the VerifyCsrfToken to be check from all requests to the routes array. Now in your routes.php file you can do something like this
Route::group(['middleware' => 'csrf'], function () {
// Place here all the routes that need csrf protection
// Meaning that they need a verified token
});
// Place all your other routes outside of the group that don't need the csrf production
Again, and I mean this! This is not a good practise!
Using CSRF isn't "always" necessary but it should be fine in an iframe?
Check the form is sending the _token data.
Not on a different domain right?
Please or to participate in this conversation.