I have an mvc2 app which is serving content through iframes. The iframed page is simply a form. It has a request validation token. Everything works well cross domain until a developer uses the Visual Studio 2005 debugger. As soon as they do, I get the following error details.
Exception:
System.Web.Mvc.HttpAntiForgeryException : A required anti-forgery token was not supplied or was invalid.
Stack Trace:
at System.Web.Mvc.ValidateAntiForgeryTokenAttribute.OnAuthorization(AuthorizationContext filterContext)
at System.Web.Mvc.ControllerActionInvoker.InvokeAuthorizationFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor)
at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
Source:
System.Web.Mvc
Location:
Void OnAuthorization(System.Web.Mvc.AuthorizationContext)
Url:
https://mydomain.com/Portal/Framed/NewQuickPay/yFkYAA!!-OSlvtw!!-4f560479-96f2-4578-8804-a757d4913f52
Path:
D:\Inetpub\wwwroot\Portal\
Referrer:
https://mydomain.com/portal/Framed/Index/yFkYAA!!-OSlvtw!!-4f560479-96f2-4578-8804-a757d4913f52/?amount=2861.43
Server Name:
/* OMITTED */
IP Address:
/* OMITTED */
User Agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; .NET CLR 1.1.4322)
Is Authenticated:
False
Http Method:
POST
Form Data
/* OMITTED */
__RequestVerificationToken EoJfaqoiWFUnbJFIQQeXoCeUdtVKpfX7RB0LfUXoTzRbrwK3ZYr6ZjT2ldsNGqVuB+3Vtc3uiRZoJiF+VAi7v7kdEy/sCb6jI9stzTzz/hRh3emTzBh61W9+GkFlEkxEVID8Bg==
Cookies
/* NONE */
We have deleted all cookies, restarted the machine, restarted visual studio, and still the debugger causes this error.
I have added a declared machine key to the web.config. I'm not sure what else it could be. It happens only when the debugger is running, and they are using Visual Studio 2005.
I found the answer. My content was being presented through a cross domain iframe. According to Adam Young, IE will automatically block third party cookies unless you define a P3P policy in the header.
I added code to inject the p3p policy into the header and just call it from each action that I use in my iframe. So far, we have not seen this error turn up. I hope this solution helps someone else.
I also defined a machine key, although I'm not sure that was necessary.