CSRF Setting issues when creating Facebook Canvas App for a Codeiginter Page

Question

I've a codeigniter app, which works fine. I created a facebook canvas app, and tried loading a page generated by the codeigniter. It didn't work. And I got to see dreaded - "The action you have requested is not allowed". Just so to ensure my facebook app settings are right, I tried with a page from another site, and it worked.

So started search for possible problems, I could figure out that it was because of CSRF protection=TRUE in cornfig settings. So I simply turned off CSRF protection to see, if would work. Then, it worked and I could actually load codeigniter generated pages through Facebook Canvas App (Sandbox mode, though..)

Some suggested if we hard code hidden field for csrf token, (instead of depending on form_open() function) we could avoid this rule, and by that logic, if we had a page, which has no form at all, should work fine. And I couldn't not load even pages that don't have a form.

And I'm not using AJAX anywhere.

I'm using CI 2.1.3.

One related link - http://ellislab.com/forums/viewthread/228160/#1038448 Though there are many similar questions on Stackoverflow and other forums, I couldn't find satisfactory answer.

If I just see apache logs, I really don't feel turning off CSRF protection would be a good idea.

So How do I make codeignter generated pages appear in facebook canvas app, without turning off CSRF protection?

Any pointers will be useful. Thanks for you time.

Answer 1

The root cause of this problem is how Facebook call the app page iframe. Facebook send a post by default a parameter (signed_request) in $_POST array. But when Codeigniter checks for CSRF protection then no csrf token is found in post array.

So apparently there is no straight forward solution for this. We can change the conditions in csrf_verify function in system\\core\\Security.php so that do not verify when there is value of $_POST['signed_request'], but I know that is not a good idea.