"Mismatched token" on widget for both paypal and stripe, Chrome 38, OSX.

[tenpn]

A customer contacted me to report this error when trying to purchase through http://www.tenpn.com/DecisionFlex.html

Things working fine for me on Chrome 39 on OSX, until I tried it in incognito mode; then I got the same error.

However the customer swears they weren't using incognito.

[leafo]

There's a CSRF validation error that happens sporadically. Not sure of the cause yet because it's hard to reproduce. Thanks for the report.

[jakebesworth]

This still exists,

DDLC Example:

the "ok" links to https://itch.io/embed/106599?border_width=5&fg_color=000&link_color=bb5599&border_color=ffbde1

This is on Firefox, with quite a bit of of ad blocking, will try in "safe mode".

Failed Response:

curl 'https://itch.io/game/purchase/106599' -H 'Host: itch.io' -H 'User-Agent: Mozilla/5.0 (X11; rv:55.0) Gecko/20100101 Firefox/55.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: https://itch.io/embed/106599?border_width=5&fg_color=000&link_color=bb5599&border_color=ffbde1' -H 'DNT: 1' -H 'Connection: keep-alive' --data 'csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXACTUALVALUEINHEREXXXXXXXXXXXXXXXXXXXXXXXXX&source=paypal&medium=default&initiator=embed&bp=XXXXXXXACTUALVALUEXXXXXXXXXX&price=%2420.00&email=&json=true'

The POST response is errors: [mismatched token]

EDIT: Still broken even in addons-disabled "safe mode"

EDIT 2: "Forgetting" both ddlc.moe and itch.io "cookies" does not fix the problem

[leafo]

@jakebesworth if you visit the itch.io mainsite, then return to the page where the embed is, refresh the page, then try to complete the purchase does it go through?

Mismatched token mean that you CSRF token being sent to the server does not match the one set in your cookie. I'm wondering third-party cookies are being blocked due to the iframe which is causing a new CSRF token to be generated that doesn't match the one in the page on submit.

[jakebesworth]

@leafo

Attempted solution :

1. Visit itch.io (force refresh, no old cache)

2. Return to ddlc.moe (where the embed is), refresh and attempt to pay

3. Same error

4. Open ddlc.moe in new tab (after step 1), try to pay, same error

However, visiting: https://itch.io/embed/106599?border_width=5&fg_color=000&link_color=bb5599&border_color=ffbde1 directly and clicking "Paypal" actually does work, when it's using the itch.io root domain, not another domain embedding this link.

Inspecting both HTML Forms shows the same:

<input name="csrf_token" value="XXXXXSOMEVALUEXXXXX" type="hidden">

Note that XXXXXSOMEVALUEXXXXX is the exact same on ddlc.moe and when I open the embedded link directly in the browser.

• This is on a Linux version of Firefox, the OP also suggest it's MacOS (non-windows), not really sure why that should matter though

Makes me think maybe it's a CORS issues? https://github.com/ottoyiu/django-cors-headers/issues/210 suggests it's an old cookie (which is impossible as I had cleared both cache / cookies)

[leafo]

Just for confirmation:

If you try to pay from directly from the itch.io/embed page it works, but doing it on the embed on ddlc.moe doesn't work? Are you sure that the ddlc.moe one didn't start worked after it worked on the direct link?

Are you logged into an itch.io account?

If possible, can you capture the POST request to https://itch.io/game/purchase/106599 as HAR and send it to me? You can send it to leafo@itch.io

[leafo]

I don't think it would be a CORS issue since the iframe's domain matches the domain where the POST request is being made to.

[leafo]

Also, I'm testing on Linux with Firefox 57.0.2, no extensions or ad-ons. I am not able to reproduce it

[leafo]

Also one other check, if you don't mind. Can you open up the storage inspector in firefox webdev tools and tell me if you see two entries for itchio_token. There should also only be one itch.io domain for the cookies: https://itch.io. You might have to check both the ddlc.moe and direct link to embed.

[jakebesworth]

If you try to pay from directly from the itch.io/embed page it works, but doing it on the embed on ddlc.moe doesn't work?

This is correct. I just checked again after your comment. ddlc.moe (embedded) and still same error. Embedded directly, no error.

Are you sure that the ddlc.moe one didn't start worked after it worked on the direct link?

Yep

Are you logged into an itch.io account?

No, do not have an account

If possible, can you capture the POST request to https://itch.io/game/purchase/106599 as HAR and send it to me? You can send it to leafo@itch.io

Sure, give me a few minutes

I don't think it would be a CORS issue since the iframe's domain matches the domain where the POST request is being made to.

Good point. Not necessarily CORS, but it seems odd that the exact same POST request and iframe Form markup would lead to different POST responses, the only obvious difference I see is the domain, but I'll capture both HAR and send you them, and we can see.

Also one other check, if you don't mind. Can you open up the storage inspector in firefox webdev tools and tell me if you see two entries for itchio_token. There should also only be one itch.io domain for the cookies: https://itch.io. You might have to check both the ddlc.moe and direct link to embed.

Sure give me a few minutes

[leafo]

Also, if you're curious: The value of the itchio_token cookie should match what's being sent with the POST request as the csrf_token param. If not, then then the mismatched token error is generated.

[leafo]

In the meantime, I improved the error dialog so people don't get into a dead-end

[jakebesworth]

Sent you an email with the HAR

[leafo]

Just following up here.

I noticed your request to initiate the purchase did not include any cookies. That would definitely cause an issue. I added xhr.withCredentials = true just in case the request was someone being marked as a cross domain one.

Since this is an iframe, it could be related to 3rd party cookies. Do you have Accept third-party cookies set to Never in your History settings?

[jakebesworth]

Sent you an email again, but

Since this is an iframe, it could be related to 3rd party cookies. Do you have Accept third-party cookies set to Never in your History settings?

Short answer, yes

Solution

• It turns out no cookies were being sent in the ddlc.moe iframe to itch.io

• I checked about:preferences as I ran across this post: https://stackoverflow.com/q/25532900/5698848 and by changing Accept third-party cookies: Never to Accept third-party cookies: Always fixed the problem

• So the cookies were not being sent from the iframe due to no 3rd party cookies, as far as I can tell because: By changing that value, the embed now works on ddlc.moe

• The reason for disabling this is most websites don't need third-party cookies enabled to work, and helps with privacy / tracking prevention

The appropriate solution is to "add an exception" for itch.io (and ddlc.moe maybe?) in about:preferences > Privacy > Accept Cookies from Sites > Exceptions, rather than allowing all third party cookies

Now, I wonder if there's a better way to do the embed (such as not using an iframe, which I don't really see possible), or not using cookies cross-domain like this, but regardless, seems like a niche-enough problem

[jakebesworth]

https://github.com/electology/approval_frame/issues/17

Seems like the common solution is adding external websites to the whitelist, but since it's a dynamic embed, that doesn't seem possible.

[leafo]

I don't think the whitelist is a reasonable solution here, it should just work. I'm going to have to write something that detects if cookie wasn't able to be set, then redirects to a standalone page to purchase/download.