Invalid CSRF (Cross Site Request Forgery) on embedded form

I have an Elixir application that uses Phoenix for the interface. This application has a contact form that needs to be embedded in other websites. Once the form is embedded via an iFrame in the other websites and then submitted, it returns an error:

invalid CSRF (Cross Site Request Forgery) token, please make sure that:
  * The session cookie is being sent and session is loaded
  * The request include a valid '_csrf_token' param or 'x-csrf-token' header

Because I can’t control the domains of the websites I can’t update the plug Plug.Session opts.

Am I correct in my understanding that CSRF is mostly to protect with authenticated sessions? Since this is a simple contact form that will be embedded can I remove the CSRF check for this POST route or is there a better way to handle this?

This can be done in your router, by moving protect_from_forgery plug to it’s own named pipeline. Then using it (or not!) when needed :slight_smile:

See related docs for protect_from_forgery.

Thank you :grinning: That’s the current workaround I have right now. I guess I’m curious if I am OK doing this from my application from a security standpoint? Will doing that put my application at risk?

1 Like