Laravel TokenMismatchExpection when posting from inside an iframe

Question

I have a page running on http://some.example.com/myiframes/default.aspx. This page have an iframe. The iframe source/contains a Laravel 5.2 base application.

My Laravel page URL "which is the source of the iframe" is https://laravel.example.com.

https://laravel.example.com has a form with a submit button. When a use clicks it, he/she hits another route on the same domain i.e. https://laravel.example.com/disply/survey

But every time, I submit the form I get the following exception

TokenMismatchException in VerifyCsrfToken.php line 67:

To make sure I am clear, on the page http://some.example.com/myiframes/default.aspx my code looks something like this

on my laravel App which is located on https://laravel.example.com here is my form

    <form method="POST" action="https://laravel.example.com/disply/survey" accept-charset="UTF-8" class="form">
<input name="_token" type="hidden" value="Dk6SN4WzO4brbvdnBO6JZ7e1lBGjmYz8GQJ1lYFo">
<input name="survey_id" type="hidden" value="10">
<input name="call_id" type="hidden" value="667">
<input name="pools" type="hidden">

<input name="alt_id_1" type="hidden" value="250">
<input name="alt_id_2" type="hidden" value="5">
<input name="alt_id_3" type="hidden">
<input name="alt_id_4" type="hidden">
<input name="alt_id_5" type="hidden">
<input name="alt_id_6" type="hidden">
<input name="alt_id_7" type="hidden">
<input name="alt_id_8" type="hidden">
<input name="alt_id_9" type="hidden">
<input name="alt_id_10" type="hidden">


<input name="alt_string_1" type="hidden">
<input name="alt_string_2" type="hidden">
<input name="alt_string_3" type="hidden">
<input name="alt_string_4" type="hidden">
<input name="alt_string_5" type="hidden">
<input name="alt_string_6" type="hidden">
<input name="alt_string_7" type="hidden">
<input name="alt_string_8" type="hidden">
<input name="alt_string_9" type="hidden">
<input name="alt_string_10" type="hidden">

<div class="text-center"> 
    <input class="btn btn-primary" type="submit" value="Start Survey">
</div>

</form>

The form works perfectly outside of the iframe. The problem only happens when I am inside the iframe.

I opened the VerifyCsrfToken class located in App\Http\Middleware and added http://some.example.com into the $except array which did not fix the problem.

protected $except = [
    'http://some.example.com'
];

What could be causing this issue? How can I correct the problem?

Edited, Here is my template

{!! Form::open([
                'url' => route('my.surveys.display'),
                'class' => 'form',
                'method' => 'post'
                ]) !!}
{!! Form::hidden('survey_id', $survey_id) !!}
{!! Form::hidden('call_id', $call_id) !!}
{!! Form::hidden('pools', $pools) !!}
{!! Form::hidden('call_type', $type) !!}


{!! Form::hidden('alt_id_1', $alt_id_1) !!}
{!! Form::hidden('alt_id_2', $alt_id_2) !!}
{!! Form::hidden('alt_id_3', $alt_id_3) !!}
{!! Form::hidden('alt_id_4', $alt_id_4) !!}
{!! Form::hidden('alt_id_5', $alt_id_5) !!}
{!! Form::hidden('alt_id_6', $alt_id_6) !!}
{!! Form::hidden('alt_id_7', $alt_id_7) !!}
{!! Form::hidden('alt_id_8', $alt_id_8) !!}
{!! Form::hidden('alt_id_9', $alt_id_9) !!}
{!! Form::hidden('alt_id_10', $alt_id_10) !!}


{!! Form::hidden('alt_string_1', $alt_string_1) !!}
{!! Form::hidden('alt_string_2', $alt_string_2) !!}
{!! Form::hidden('alt_string_3', $alt_string_3) !!}
{!! Form::hidden('alt_string_4', $alt_string_4) !!}
{!! Form::hidden('alt_string_5', $alt_string_5) !!}
{!! Form::hidden('alt_string_6', $alt_string_6) !!}
{!! Form::hidden('alt_string_7', $alt_string_7) !!}
{!! Form::hidden('alt_string_8', $alt_string_8) !!}
{!! Form::hidden('alt_string_9', $alt_string_9) !!}
{!! Form::hidden('alt_string_10', $alt_string_10) !!}

<div class="text-center"> 
    {!! Form::submit('Start Survey', ['class' => 'btn btn-primary', 'id' => 'start_survey']) !!}
</div>

Answer 1

Given the details that you provide in the original question, it seems that Laravel is behaving exactly as it should when refusing to allow you to submit the form.

The user-agent is browsing to http://some.example.com and POSTing the form to https://laravel.example.com, via an iframe. If I'm not mistaken, this is precisely the behavior that CSRF tokens are designed to prevent.

This question may even be a duplicate of Laravel 5 TokenMismatchException only in iFrame . I concur with the accepted answer there.

If this is an internal site and you're willing to accept the associated risks, you may add an exception for the route to which you are POSTing, as described in the above-cited answer.