Error "CSRF token verification failed" when using iframe in Chrome

Technical assistance
1

Infos:

  • Used Zammad version: 5.1.x
  • Used Zammad installation type: source
  • Operating system: Ubuntu 22.04.4 LTS
  • Browser + version: Chrome 128.0.6613.120 and Firefox 130

I’m creating a project to incorporate some of our service platforms into the company’s intranet where I work. Among one of them is Zammad.

Looking for answers, I found post #2051 here on the community forum ([solved] Set X-Frame-Options for Zammad to allow iframe).

Following what is in the ticket, I managed to activate the iframe by changing the following fields in the …/action_dispatch/railtie.rb file:
“X-Frame-Options” => “ALLOWALL”,
“X-XSS-Protection” => “0”,

However, when trying to connect to the application using the iframe in Chrome, I can access the login page normally, with no apparent error, but when I enter the access credentials, the error “CSRF token verification failed!” is presenting.

I carried out a separate test using the iframe in Firefox, and I was able to log in normally to the application.

Has anyone gone through this? Is there anything that can be done to achieve this authentication in Chrome?

Note: Outside of the iframe, I can use the application normally in Chrome, only using the iframe that is showing the error.

2

Sorry but please update your Zammad version to a current, supported and secure one. We’re at 6.3.1 which is over 2 years ahead of your version.

1 Like
3

Sorry! Application updated to version 6.3.1.

After updating, I only made one change to the /opt/zammad/config/initializers/content_security_policy.rb file, including the following line:
policy.frame_ancestors :self, ‘*’

Searching some forums, I found information that using frame acestors overrides frame_options settings. By changing the content_security_policy.rb file I was able to incorporate Zammad into my intranet, using the HTTP protocol, as it is still a test. However, the problem persists in the same way, but now the error “CSRF token verification failed!” is displayed in any browser, accessed from inside or outside the server where the application is installed.

Update: Checking the iframe errors shows possible problems when the application tries to POST with the API.

Error401
Error401891×597 38.4 KB