我有一个 asp.net 核心应用程序。应用程序的一种形式嵌入在不同应用程序的 iframe 中,在不同的应用程序上运行。在我的配置中,我抑制了相同的原始X-Frame标头,因此我可以将表单提交到 iframe。
services.AddAntiforgery(options =>
{
options.SuppressXFrameOptionsHeader = true;
});
但是,当我通过 iframe 提交表单时,我收到一个错误的请求错误,尽管我可以看到 CSRF 令牌已正确发送。如果我删除
[ValidateAntiForgeryToken]
来自控制器操作的属性我可以通过 iframe 提交表单。我究竟做错了什么?
我找到了答案
https://stackoverflow.com/a/52709829/9931213
您需要添加
options.Cookie.SameSite = SameSiteMode.None;
添加到您的AddAntiforgery选项。
I believe you're confusing CSRF attack prevention (using ValidateAntiForgeryToken attribute) with clickjacking attack prevention (using X-Frame-Options HTTP header).
Please read those articles first and try to understand what they are and how they work. And most importantly, what risks are you taking when disabling these protections. Most of the times people are just too eager to see their web app up and running, so they disable most of protections like these, but later on they fail to get back to these issues and fix them properly, which usually ends up with that web app being vulnerable to these basic attacks, data being stolen, leaked, abused, etc.
It can be frustrating to slow down the development in order to first read the stuff and try to understand it before the continuation of the development, but, it usually pays off every time and you always learn something new in the process, becoming a better developer.