locked
Embed .Net Core MVC App in another application RRS feed

  • Question

  • User1495489727 posted

    Hello,

    Hope all is safe.

    I'm trying to load an asp.net core mvc  application in another application using iframe the html is loaded but when click on login as example no result is shown .

    I try this services.AddAntiforgery(o => o.SuppressXFrameOptionsHeader = true);    in same domain the loaded app in the iframe work fine but in another domain it doesn't function.

    I also use 

    services.AddCors(options =>
    {
    options.AddDefaultPolicy(
    builder =>
    {
    builder.WithOrigins("*");
    builder.WithHeaders("*");
    builder.WithMethods("*");
    });
    });  

    to permit for cors (cross origin resource sharing )

    but nothing work for me

    If there is any help I will appreciate.

    Thanks all

    Monday, August 3, 2020 5:16 PM

All replies

  • User-474980206 posted

    Anti-forgery uses a cookie and hidden field. the post back must be to the same domain or the cookie is not sent.

    You are hitting a cross origin error with the iframe, check the console. use the browsers debugging tools to see why blocked.

     

    Monday, August 3, 2020 6:02 PM
  • User753101303 posted

    Hi,

    You are not also using https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options ? You used F12 Console to see if the browser doesn't show a message telling you exactly what happens?

    Monday, August 3, 2020 6:08 PM
  • User1495489727 posted

    Thanks for your reply 

    What I wish to do is to load App1 in iframe or any html control in  App2 with different domains .

    In same domain i try it and work fine but as you said in different domain the cookie is not sent .

    Is there a solution for this issue or I must think in different way

    Nothing shown in the console while I click on a button maybe the cookie is empty ?

    Monday, August 3, 2020 6:15 PM
  • User753101303 posted

    If this is a browser side security restriction, it should show a message in the browser console. If the antiforgery token is not found you should have an exception (you checked ?) etc...

    What shows F12 Network for this http query ?

    I always spend few minutes to find details about the exact error which is often quicker than trying to fix an error which is not yet well identified through guesses and tries...

    Monday, August 3, 2020 6:31 PM
  • User1495489727 posted

    Hi,

    You are not also using https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options ? You used F12 Console to see if the browser doesn't show a message telling you exactly what happens?

    Hi,

    No error or messages in console I checked the Element tab only header html appeared but the rendered body is not as you see below

    <body>
    <header>
    <nav class="navbar navbar-expand-sm navbar-toggleable-sm navbar-light bg-white border-bottom box-shadow mb-3">
    <div class="container">
    <button class="navbar-toggler" type="button" data-toggle="collapse" data-target=".navbar-collapse" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
    <span class="navbar-toggler-icon"></span>
    </button>
    <div class="navbar-collapse collapse d-sm-inline-flex flex-sm-row-reverse">
    <ul class="navbar-nav flex-grow-1">
    <li class="nav-item">
    <a class="nav-link text-dark" href="/Marker">Marker</a>
    </li>
    <li class="nav-item">
    <a class="nav-link text-dark" href="/List/Chain">Chain</a>
    </li>
    <li class="nav-item">
    <a class="nav-link text-dark" href="/List/AllContent">Content</a>
    </li>
    </ul>
    </div>
    </div>
    </nav>
    </header>
    <div class="container">
    <main role="main" class="pb-3">

    Here must be the result of the render page


    </main>
    </div>

    Monday, August 3, 2020 6:31 PM
  • User1495489727 posted

    PatriceSc

    If this is a browser side security restriction, it should show a message in the browser console. If the antiforgery token is not found you should have an exception (you checked ?) etc...

    What shows F12 Network for this http query ?

    I always spend few minutes to find details about the exact error which is often quicker than trying to fix an error which is not yet well identified through guesses and tries...

    What is more confusing that there  is no error or message shown in console or network tab once button is clicked

    Monday, August 3, 2020 6:39 PM
  • User-474980206 posted

    it looks like you loaded a partial view, and did not include the required scripts. your button is just a button and will not post back, nor is there a form for it to post.

    an iframe is a standalone document, and inherits nothing from the parent window except the window.parent property.

    Tuesday, August 4, 2020 12:10 AM
  • User1495489727 posted

    it looks like you loaded a partial view, and did not include the required scripts. your button is just a button and will not post back, nor is there a form for it to post.

    an iframe is a standalone document, and inherits nothing from the parent window except the window.parent property.

    Hello, sorry for late reply the application was  loaded successfully but when I came to login nothing happen it's look like no cookies were created or no request was sent.

    I check  microsoft docs for Samesite attribute in order to share cookies between two apps   https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1

     but  when I retry  in Console tab was only shown  the link to the login page as and error

    Any help is appreciated

    Friday, August 7, 2020 4:23 PM
  • User-474980206 posted

    you can only share cookies between apps is if they belong to the same sub-domain  and the cookie domain is set to that subdomain (mystite1.foo.com & mysite2.foo.com and cookie domain is set to .mysite.com).

    same site controls when the refer (site that the link can from) is not the same site. as the iframe is hosted may a different site, you need same-site = lax.

    Friday, August 7, 2020 11:56 PM
  • User1761105426 posted

    I have encountered the same issue as OP. Where I have iframe from another domain in my app, I control both domains. I have tried frame-ancestors but no luck. Whats going on is that chrome is blocking 3rd party cookies even, .net core cookies for antiforgery and tempcookie provider. I have the cookie policy on both set to same site none and secure. What else do I need to do here or am I at the mercy of Chrome?

    Sunday, January 17, 2021 5:15 AM