只有在嵌入iframe中时,防伪令牌令牌Cookie才会出现在请求标头中 [英] Antiforgery Token Cookie Not Appearing in Request Headers Only in when Embeded in Iframe
问题描述
我正在尝试嵌入一个简单的Web应用程序,该应用程序会将运行asp.net Core 2.0的用户输入发布到iframe中.我遇到的问题是,在嵌入时,正在生成的请求标头缺少包含.AspNetCore.Antiforgery.[token]的cookie标头.它是在iframe外部按预期生成的.
I'm trying to embed a simple web app that will POST user input that is running asp.net Core 2.0 into an iframe. The problem I am having is that while embedded, the request headers that are being generated lack the cookie header that contains the .AspNetCore.Antiforgery.[token]. It is being generated as expected outside of the iframe.
这会导致400错误,因为帖子无法验证令牌.
This is causing a 400 error because the post is unable to validate the token.
在iframe外部生成的请求标头: 请求标头:没有IFRAME
Request Headers generated outside of iframe: Request Headers: NO IFRAME
在iframe内部生成的请求标头: 请求标头:INSIDE IFRAME
Request Headers generated inside of iframe: Request Headers: INSIDE IFRAME
有人在防伪令牌库中遇到这个问题吗?
Has anyone had this issue with the antiforgery token library?
谢谢!
推荐答案
在cookie类上显示SameSite属性,因为需要将防伪选项设置为None才能起作用:
Turns out the SameSite property on the cookie class for the antiforgery options needs to be set to None for this to work:
services.AddAntiforgery(options =>
{
options.Cookie.SameSite = SameSiteMode.None;
});
services.AddAntiforgery(options =>
{
options.Cookie.SameSite = SameSiteMode.None;
});
这篇关于只有在嵌入iframe中时,防伪令牌令牌Cookie才会出现在请求标头中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!