krakenjs/lusca

IE and Safari block third-party cookies, by default causing csrf issues in iframe

shaunwarman opened this issue · 2 comments

Below is the stack trace:
[2015-05-19 13:53:55.581] - error: [corrId: 5d031de0fed19][cal] Error: CSRF token missing at csrf (/Users/swarman/Development/Source/pppluscpmnodeweb/node_modules/lusca/lib/csrf.js:53:18) at csrf (eval at createToggleWrapper (/Users/swarman/Development/Source/pppluscpmnodeweb/node_modules/kraken-js/node_modules/meddleware/index.js:133:51), <anonymous>:1:65) at Layer.handle [as handle_request] (/Users/swarman/Development/Source/pppluscpmnodeweb/node_modules/express/lib/router/layer.js:76:5) at trim_prefix (/Users/swarman/Development/Source/pppluscpmnodeweb/node_modules/express/lib/router/index.js:263:13)

It sounds like a http header needs to be present, but this sounds risky. Need to dive deeper.

What header would need to be sent?

So I had to use the p3p header. In config it looked like:
"p3p": "ALL ADM DEV PSAi COM OUR OTRo STP IND ONL"