只有在嵌入iframe中时，防伪令牌令牌Cookie才会出现在请求标头中 [英] Antiforgery Token Cookie Not Appearing in Request Headers Only in when Embeded in Iframe

问题描述

我正在尝试嵌入一个简单的Web应用程序，该应用程序会将运行asp.net Core 2.0的用户输入发布到iframe中.我遇到的问题是，在嵌入时，正在生成的请求标头缺少包含.AspNetCore.Antiforgery.[token]的cookie标头.它是在iframe外部按预期生成的.

I'm trying to embed a simple web app that will POST user input that is running asp.net Core 2.0 into an iframe. The problem I am having is that while embedded, the request headers that are being generated lack the cookie header that contains the .AspNetCore.Antiforgery.[token]. It is being generated as expected outside of the iframe.

这会导致400错误，因为帖子无法验证令牌.

This is causing a 400 error because the post is unable to validate the token.

在iframe外部生成的请求标头: 请求标头:没有IFRAME

Request Headers generated outside of iframe: Request Headers: NO IFRAME

在iframe内部生成的请求标头: 请求标头:INSIDE IFRAME

Request Headers generated inside of iframe: Request Headers: INSIDE IFRAME

有人在防伪令牌库中遇到这个问题吗?

Has anyone had this issue with the antiforgery token library?

谢谢！

推荐答案

在cookie类上显示SameSite属性，因为需要将防伪选项设置为None才能起作用:

Turns out the SameSite property on the cookie class for the antiforgery options needs to be set to None for this to work:

services.AddAntiforgery(options => { options.Cookie.SameSite = SameSiteMode.None; });

services.AddAntiforgery(options => { options.Cookie.SameSite = SameSiteMode.None; });

这篇关于只有在嵌入iframe中时，防伪令牌令牌Cookie才会出现在请求标头中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！