-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ActionController::InvalidAuthenticityToken #632
Comments
Hey @lazaronixon, sorry for the super slow reply and thanks for the bug report. I've just opened a PR that should fix this. I realise it's quite a while since you created this issue but if you are able to to test it and confirm it works for you too then that would be fantastic: gem "lookbook", github: "lookbook-hq/lookbook", branch: "fix-preview-csrf-exception" From my testing it seems to fix the issue so if I don't hear back with any problems I'll merge it in and get it out in the next release. Thanks again for bringing it to my attention :) |
Thank you for attempting to fix this issue. I'm a bit confused, though. This is what my lookbook HTML looks like with a <!-- http://127.0.0.1:3005/lookbook/inspect/toggle/async -->
<html>
<head>
<!-- Your PR adds this one -->
<meta name="csrf-token" content="3JWhDXzu1713DX..." />
</head>
<body>
<!-- I don't think I can programmatically escape this iframe, right? I can't see the token above. -->
<iframe>
<html>
<head>
<title>Preview</title>
<!-- This is from my Rails layout -->
<meta name="csrf-token" content="iAhD6iIsCjEhorYn...">
</head>
<body>
<form id="..." action="..." accept-charset="UTF-8" method="post">
<!-- This is what `form_for` adds -->
<input type="hidden" name="authenticity_token" value="ReJTSC8SlGyDbfWo..." autocomplete="off">
</form>
</body>
</html>
</iframe>
</body>
</html> What's being submitted is the token However, if I add Your PR does not change this behavior. My guess is that the underlying problem is the See also https://discuss.rubyonrails.org/t/cant-verify-csrf-token-authenticity-in-iframe/85518 (but that is only addressing cross-domain issues I think) See also https://security.stackexchange.com/questions/238443/iframe-friendly-csrf-protection |
Describe the bug
When I try to submit to a main application controller, I receive
ActionController::InvalidAuthenticityToken
. For some reason, the session cookie is not created when I access/lookbook
, but as soon as I open the main application and the session cookie is set, the following requests work without any problem.To Reproduce
test/components/previews/button_preview/loading.html.erb
The text was updated successfully, but these errors were encountered: