[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CSRF does not work in iframe.

From: Bhuvan Gupta
Subject: CSRF does not work in iframe.
Date: Thu, 7 Sep 2017 12:37:46 +0530

Hello all,

 I create a allMonit.html which have two iframe with src of two different monit http interface running on two different system

allMonit.html structure
    <iframe src = "" href="http://firstserver:2812">http://firstserver:2812"></iframe>
    <iframe src = "" href="http://seconderver:2812">http://seconderver:2812"></iframe>

Now when i open allMonit.html in chrome , i see two monit interfaces. GREAT

Now if i try to let say "start a service" on one firstserver. I get invalid CSRF.

Upon investigation i found that without iframe the http request contains a cookiee header like 
Where as http request from iframe does not include cookie header.

Upon further study, i found that since monit http response does not contain following header
Access-Control-Allow-Credentials: true
and hence browser will not transmit the cookie back to server.

Now the question arises:

QUESTION: How to configure monit to add addition http header


reply via email to

[Prev in Thread] Current Thread [Next in Thread]