sending an authorization token from the parent window to iframe origin so that iframe origin could make the call

I actually solved this myself the very next day, but I wanted to check my solution in practice first. The answer is actually quite simple: double submit cookies.

So basically, whenever submit.html is called with submit.js (iframe button responsible for sending the payment data to API endpoint), it will get a CRSF token from the back-end server. The server will attach an encrypted cookie to submit.html as well, using https secure cookies.

Now, whenever the submit.js makes a call to the API endpoint, the CSRF token will be sent back with header. Back-end server takes encrypted cookie that it attached to submit.html, decrypts and compares it to the CRSF token in the header. If there is a match, the request is valid.

More info could be found here: OWASP cheat cheet.

CLICK HERE to find out more related problems solutions.

Leave a Comment

Your email address will not be published.

Scroll to Top