Level 7
You could disable CSRF for only this specific route but then create your own middleware where you could do your own validation/check the referrer etc?
Dec 22, 2017
3
Level 1
Send form cross-domain
Hey guys,
I have made a Formbuilder which has to be used cross-domain. For example I want to load my form on www.example.com and it is hosted on www.formbuilder.com/form/{id}. I do get this form loaded on the site, but I can't send it to www.formbuilder.com/sendform/{id} because it gives a TokenMismatchException. My thought was that disabling CSRF is not very secure, so I thought of a way to make an exception for www.example.com. Is this possible, or do you have any other solutions?
Thanks!
Level 17
CSRF stands for cross site request forgery, so the name itself implies that what you are intending to do will be a security issue.
Disabling the CSRF protection is the only way to get it to work. Do you know where the requests are coming from? In that case you could make a whitelist of accepted domains and not have the form post directly to your own server.
If the form posts to its own site, the CSRF field can just be there. Then, in the local controller, forward the request to your own server with some sort of secret authentication token. That way, you keep the local protection and use some secret communication that can't be forged.
Level 122
csrf protection is to stop someone sending a form from another site using a logged in user’s session.
So its only an issue if you are trying to send data as a specific user. Otherwise its just an anonymous form and should be validated as normal and treated as untrusted data.
Please or to participate in this conversation.