I’m using Kirby as a headless CMS. I’d like to be able to show the Kirby admin in an iframe overlaying the page in the frontend app. That way, the editor gets almost an in-place editing experience.
Unfortunately, I’m getting an Invalid CSRF token error at the login screen, even if I am logged in, in a separate window on the same url.
Why I’m asking: Kirby’s login cookie has a SameSite=Lax attribute which prevents access across origins, and (as far as I am aware) browsers validate the “origin” always from the URL displayed in the browser bar …i.e. the Panel displayed inside an iframe would be considered a third-party site and hence cannot access such cookie.