Re: CSRF does not work in iframe.

[Guillaume François]

I don't think you can easilly bypass the csrf mechanism when using iframe, as one of its goal it to avoid this kind of usage (not related to monit), you will need several hack to allow it if you cannot disable at monit level.

Maybe document yourself about csrf could help to find hacks.

Le 14 sept. 2017 6:13 AM, "Bhuvan Gupta" <address@hidden> a écrit :

Any help will be nice

On Thu, Sep 7, 2017 at 12:37 PM, Bhuvan Gupta <address@hidden> wrote:

Hello all,

 I create a allMonit.html which have two iframe with src of two different monit http interface running on two different system

allMonit.html structure

    <iframe src = "" href="http://firstserver:2812" target="_blank">http://firstserver:2812"></iframe>

    <iframe src = "" href="http://seconderver:2812" target="_blank">http://seconderver:2812"></iframe>

Now when i open allMonit.html in chrome , i see two monit interfaces. GREAT

Now if i try to let say "start a service" on one firstserver. I get invalid CSRF.

Upon investigation i found that without iframe the http request contains a cookiee header like 

Cookie:

securitytoken=6265d84a17c2715c7252c84d88a479cf

Where as http request from iframe does not include cookie header.

Upon further study, i found that since monit http response does not contain following header

Access-Control-Allow-Credentials: true

and hence browser will not transmit the cookie back to server.

Now the question arises:

QUESTION: How to configure monit to add addition http header

Thanks

Bhuvan

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general