search

BookStackApp / BookStack

A platform to create documentation/wiki content built with PHP & Laravel
https://www.bookstackapp.com/
MIT License
15.43k stars 1.94k forks source link

419 Page Expired with ALLOWED_IFRAME_HOSTS #5261

Closed antitiron closed 1 month ago

antitiron commented 1 month ago

Attempted Debugging

Searched GitHub Issues

Describe the Scenario

Hello!

Thank you for the great application.

The problem is similar to issue 2671: 419 Error Page Expired if ALLOWED_IFRAME_HOSTS is added to .env.

I am attaching the config file:

# This file, when named as ".env" in the root of your BookStack install
# folder, is used for the core configuration of the application.
# By default this file contains the most common required options but
# a full list of options can be found in the '.env.example.complete' file.

# NOTE: If any of your values contain a space or a hash you will need to
# wrap the entire value in quotes. (eg. MAIL_FROM_NAME="BookStack Mailer")

# Application key
# Used for encryption where needed.
# Run `php artisan key:generate` to generate a valid key.
APP_KEY=base64:***

# Application URL
# This must be the root URL that you want to host BookStack on.
# All URLs in BookStack will be generated using this value
# to ensure URLs generated are consistent and secure.
# If you change this in the future you may need to run a command
# to update stored URLs in the database. Command example:
# php artisan bookstack:update-url https://old.example.com https://new.example.com
APP_URL=http://bookstack

# Database details
DB_HOST=localhost
DB_DATABASE=bookstack
DB_USERNAME=bookstack
DB_PASSWORD=***

# Mail system to use
# Can be 'smtp' or 'sendmail'
MAIL_DRIVER=smtp

# Mail sender details
MAIL_FROM_NAME="BookStack"
MAIL_FROM=bookstack@example.com

# SMTP mail options
# These settings can be checked using the "Send a Test Email"
# feature found in the "Settings > Maintenance" area of the system.
# For more detailed documentation on mail options, refer to:
# https://www.bookstackapp.com/docs/admin/email-webhooks/#email-configuration
MAIL_HOST=localhost
MAIL_PORT=587
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null

APP_DEBUG=true
AUTH_METHOD=ldap
LDAP_BASE_DN="***"
LDAP_DISPLAY_NAME_ATTRIBUTE=cn
LDAP_DN="***"
LDAP_EMAIL_ATTRIBUTE=mail
LDAP_ID_ATTRIBUTE=mail
LDAP_PASS="***"
LDAP_SERVER=***
LDAP_START_TLS=false
LDAP_USER_FILTER=(&(sAMAccountName=${user}))
LDAP_GROUP_ATTRIBUTE="memberOf"
LDAP_VERSION=3
LDAP_USER_TO_GROUPS=true
LDAP_REMOVE_FROM_GROUPS=false
LDAP_AUTO_CONFIRM_EMAIL=true
LDAP_DUMP_USER_GROUPS=false
LDAP_DUMP_USER_DETAILS=false
SESSION_LIFETIME=7200
#SESSION_DOMAIN=http://bookstack
SESSION_SECURE_COOKIE=false

# Adding a single host
ALLOWED_IFRAME_HOSTS="*"

After changes, make sure to run “php artisan optimize:clear”.

I cleared all session cookies, it doesn't work in any browser: not chrome, not firefox.

If you can help - it would be great.

Exact BookStack Version

v24.05.4

Log Content

No response

Hosting Environment

VPS Ubuntu 24.04.1 PHP 8.3.6

ssddanbrown commented 1 month ago

Hi @antitiron,

Based upon your .env I'm assuming your BookStack instance is served over standard http:// and not https://?

If so, then cookies are getting blocked by common browser security requirements. When ALLOWED_IFRAME_HOSTS is used, cookies are served with SameSite=None which allows them to work for cross-site requests (since the BookStack instance would be considered third-party when embedded). Browsers require this kind of cookies to be served via https:// with a specific flag (which BookStack will set when the APP_URL is set to start with https://).

antitiron commented 1 month ago

Yes, inside the LAN, via http://.

Thanks for the reply!