Invalid CSRF token using Kirby in an iframe

I’m using Kirby as a headless CMS. I’d like to be able to show the Kirby admin in an iframe overlaying the page in the frontend app. That way, the editor gets almost an in-place editing experience.

Unfortunately, I’m getting an Invalid CSRF token error at the login screen, even if I am logged in, in a separate window on the same url.

Why is this happening and is there a way around the issue?

kirby uses php sessions to store the csrf token. these don’t go well with iframes. maybe this helps:

1 Like

Just tried that, and everything described here:

But that doesn’t solve the issue.

I would be ok with opening a separate session for the iframe. But it looks like the session doesn’t stick.

Do the frontend app’s URL and the URL of your Kirby instance meet the requirements of the same-origin policy?

Why I’m asking: Kirby’s login cookie has a SameSite=Lax attribute which prevents access across origins, and (as far as I am aware) browsers validate the “origin” always from the URL displayed in the browser bar …i.e. the Panel displayed inside an iframe would be considered a third-party site and hence cannot access such cookie.


Right, haven’t thought of that. I guess my best/safest option would be setting up a reverse proxy.

Thanks for pointing that out!