{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 傲 的问题《Antiforgery token exception only when debugger is》','https://www.manongdao.com/q-656492.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have an mvc2 app which is serving content through iframes. The iframed page is simply a form. It has a request validation token. Everything works well cross domain until a developer uses the Visual Studio 2005 debugger. As soon as they do, I get the following error details.
Exception:
System.Web.Mvc.HttpAntiForgeryException : A required anti-forgery token was not supplied or was invalid.
Stack Trace:
at System.Web.Mvc.ValidateAntiForgeryTokenAttribute.OnAuthorization(AuthorizationContext filterContext)
at System.Web.Mvc.ControllerActionInvoker.InvokeAuthorizationFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor)
at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
Source:
System.Web.Mvc
Location:
Void OnAuthorization(System.Web.Mvc.AuthorizationContext)
Url:
https://mydomain.com/Portal/Framed/NewQuickPay/yFkYAA!!-OSlvtw!!-4f560479-96f2-4578-8804-a757d4913f52
Path:
D:\Inetpub\wwwroot\Portal\
Referrer:
https://mydomain.com/portal/Framed/Index/yFkYAA!!-OSlvtw!!-4f560479-96f2-4578-8804-a757d4913f52/?amount=2861.43
Server Name:
/* OMITTED */
IP Address:
/* OMITTED */
User Agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; .NET CLR 1.1.4322)
Is Authenticated:
False
Http Method:
POST
Form Data
/* OMITTED */
__RequestVerificationToken EoJfaqoiWFUnbJFIQQeXoCeUdtVKpfX7RB0LfUXoTzRbrwK3ZYr6ZjT2ldsNGqVuB+3Vtc3uiRZoJiF+VAi7v7kdEy/sCb6jI9stzTzz/hRh3emTzBh61W9+GkFlEkxEVID8Bg==
Cookies
/* NONE */
We have deleted all cookies, restarted the machine, restarted visual studio, and still the debugger causes this error.
I have added a declared machine key to the web.config. I'm not sure what else it could be. It happens only when the debugger is running, and they are using Visual Studio 2005.
I found the answer. My content was being presented through a cross domain iframe. According to Adam Young, IE will automatically block third party cookies unless you define a P3P policy in the header.
I added code to inject the p3p policy into the header and just call it from each action that I use in my iframe. So far, we have not seen this error turn up. I hope this solution helps someone else.
I also defined a machine key, although I'm not sure that was necessary.