Form post in an iframe with a different subdomain returns 400 error code

Question

I have an iframe coming from different subdomain on my Razor page. When I post the form within the iframe, I see "400 Bad Request" error on the browser console. This error happens in the staging environment. However, I do not get this error on my local machine.

These are the things I tried but did not fix the problem:

• I checked the CORS settings and made sure that both clients give necessary permissions to each other.

• I also checked CSP settings. I included the project that contains the iframe element in the "frame-ancestors" directive.

• Finally, I came across a comment suggesting that this error could be caused by blocking third-party cookies in the browser while performing the form post. Despite disabling the option to block third-party cookies in the browser settings, the problem was not resolved.

How can I solve this problem?

Answer 1

As you described in your problem statement, you can encounter form post issues in cross domain login scenarios in an iframe. To solve this issue, you need to set some options for Antiforgery cookie.

Services.AddAntiforgery(options =>
        {
            options.SuppressXFrameOptionsHeader = true;
            options.Cookie.SameSite = SameSiteMode.None;
            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        });

Please note that you may have a security issue due to SameSiteMode.None. You may use extra measures such as CORS setting to offset the security issue.

To understand the issue and the fix, further readings:

• https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-7.0
• https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite