[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CSRF does not work in iframe.

From: Guillaume François
Subject: Re: CSRF does not work in iframe.
Date: Thu, 14 Sep 2017 10:06:06 +0200

I don't think you can easilly bypass the csrf mechanism when using iframe, as one of its goal it to avoid this kind of usage (not related to monit), you will need several hack to allow it if you cannot disable at monit level.

Maybe document yourself about csrf could help to find hacks.

Le 14 sept. 2017 6:13 AM, "Bhuvan Gupta" <address@hidden> a écrit :
Any help will be nice

On Thu, Sep 7, 2017 at 12:37 PM, Bhuvan Gupta <address@hidden> wrote:
Hello all,

 I create a allMonit.html which have two iframe with src of two different monit http interface running on two different system

allMonit.html structure
    <iframe src = "" href="http://firstserver:2812" target="_blank">http://firstserver:2812"></iframe>
    <iframe src = "" href="http://seconderver:2812" target="_blank">http://seconderver:2812"></iframe>

Now when i open allMonit.html in chrome , i see two monit interfaces. GREAT

Now if i try to let say "start a service" on one firstserver. I get invalid CSRF.

Upon investigation i found that without iframe the http request contains a cookiee header like 
Where as http request from iframe does not include cookie header.

Upon further study, i found that since monit http response does not contain following header
Access-Control-Allow-Credentials: true
and hence browser will not transmit the cookie back to server.

Now the question arises:

QUESTION: How to configure monit to add addition http header


To unsubscribe:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]