Can't verify CSRF token authenticity in iframe


I have a super simple page with a form that works well on it’s onw on production when accessed directly but once i put it inside an iframe, i’m not able to submit the form. Backend throws Can't verify CSRF token authenticity and returns 422 error code.

I already have content_security_policy set to policy.frame_ancestors :self, '*' to be able to embed my form in an iframe but still - the CSRF issue is making it useless.

It sounds like something a lot of people shold suffer from but i can’t really find anything about it on google so i would be really gratefull for any tips on how to deal with that :pray:

If the iframe is on a different domain than the top level page, modern browsers will often not allow the cookies to be preserved, as they are considered 3rd party cookies. The CSRF token check compares the HTML token with the token in the session accessed via the cookie.

Thank you for your reply. I managed to fix that by adding

config.action_dispatch.cookies_same_site_protection = :none

line to my application.rb file.

Maybe not so relevant for modern browsers anymore, but you might want to change the X-Frame-Options header as well, which Rails includes by default. See this section in the security guide: Securing Rails Applications — Ruby on Rails Guides.