Deal With The CSRF Token in Iframe

The CSRF Token is meant to protect you from Cross-Site Request Forgery, so it will trigger a TokenMismatchException if the form is placed in an iframe not on your domain.

The CSRF Token's means is to protect your forms from being submitted on another domains and this is exactly what happens if you place it in an iframe on another domain. Fortunately Laravel allows you to add the URL to a list and it won't verify it's CSRF token.

How to deal with the CSRF token in an iframe outside your website

If you want to place a form in an iframe that's not on your domain name, then you can use the exclude list present in the VerifyCsrfToken.php Middleware.

You can find the Middleware in app/Http/Middleware/VerifyCsrfToken.php and it already contains an array where you can add URLs that you want to be excluded from the verification.

Let's say we have a form in an iframe that submits to example.com/post/something.

Your blade file will look like this:

<form method="post" action="{{ url('post/something') }}">
<input type="text" name="somename">
<input type="submit">
</form>

In your routes.php file you have

Route::post('post/something', '[email protected]');

And in order to exclude this URL from being verified by the Middleware we will add the following in VerifyCsrfToken.php:

protected $except = [
	'post/something',
];

This way you can exclude just that single URL from being verified, while preserving the CSRF Token verification on every other URL.