419 Page Expired with ALLOWED_IFRAME_HOSTS #5000

New Issue

OVERLORD · 2026-02-05T09:32:31+03:00

OVERLORD commented

2026-02-05 09:32:31 +03:00

Originally created by @antitiron on GitHub (Oct 14, 2024).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

Hello!

Thank you for the great application.

The problem is similar to issue 2671: 419 Error Page Expired if ALLOWED_IFRAME_HOSTS is added to .env.

I am attaching the config file:

# This file, when named as ".env" in the root of your BookStack install
# folder, is used for the core configuration of the application.
# By default this file contains the most common required options but
# a full list of options can be found in the '.env.example.complete' file.

# NOTE: If any of your values contain a space or a hash you will need to
# wrap the entire value in quotes. (eg. MAIL_FROM_NAME="BookStack Mailer")

# Application key
# Used for encryption where needed.
# Run `php artisan key:generate` to generate a valid key.
APP_KEY=base64:***

# Application URL
# This must be the root URL that you want to host BookStack on.
# All URLs in BookStack will be generated using this value
# to ensure URLs generated are consistent and secure.
# If you change this in the future you may need to run a command
# to update stored URLs in the database. Command example:
# php artisan bookstack:update-url https://old.example.com https://new.example.com
APP_URL=http://bookstack

# Database details
DB_HOST=localhost
DB_DATABASE=bookstack
DB_USERNAME=bookstack
DB_PASSWORD=***

# Mail system to use
# Can be 'smtp' or 'sendmail'
MAIL_DRIVER=smtp

# Mail sender details
MAIL_FROM_NAME="BookStack"
MAIL_FROM=bookstack@example.com

# SMTP mail options
# These settings can be checked using the "Send a Test Email"
# feature found in the "Settings > Maintenance" area of the system.
# For more detailed documentation on mail options, refer to:
# https://www.bookstackapp.com/docs/admin/email-webhooks/#email-configuration
MAIL_HOST=localhost
MAIL_PORT=587
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null

APP_DEBUG=true
AUTH_METHOD=ldap
LDAP_BASE_DN="***"
LDAP_DISPLAY_NAME_ATTRIBUTE=cn
LDAP_DN="***"
LDAP_EMAIL_ATTRIBUTE=mail
LDAP_ID_ATTRIBUTE=mail
LDAP_PASS="***"
LDAP_SERVER=***
LDAP_START_TLS=false
LDAP_USER_FILTER=(&(sAMAccountName=${user}))
LDAP_GROUP_ATTRIBUTE="memberOf"
LDAP_VERSION=3
LDAP_USER_TO_GROUPS=true
LDAP_REMOVE_FROM_GROUPS=false
LDAP_AUTO_CONFIRM_EMAIL=true
LDAP_DUMP_USER_GROUPS=false
LDAP_DUMP_USER_DETAILS=false
SESSION_LIFETIME=7200
#SESSION_DOMAIN=http://bookstack
SESSION_SECURE_COOKIE=false

# Adding a single host
ALLOWED_IFRAME_HOSTS="*"

After changes, make sure to run “php artisan optimize:clear”.

I cleared all session cookies, it doesn't work in any browser: not chrome, not firefox.

If you can help - it would be great.

Exact BookStack Version

v24.05.4

Log Content

No response

Hosting Environment

VPS Ubuntu 24.04.1
PHP 8.3.6

Originally created by @antitiron on GitHub (Oct 14, 2024). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario Hello! Thank you for the great application. The problem is similar to issue 2671: 419 Error Page Expired if ALLOWED_IFRAME_HOSTS is added to .env. I am attaching the config file: ``` # This file, when named as ".env" in the root of your BookStack install # folder, is used for the core configuration of the application. # By default this file contains the most common required options but # a full list of options can be found in the '.env.example.complete' file. # NOTE: If any of your values contain a space or a hash you will need to # wrap the entire value in quotes. (eg. MAIL_FROM_NAME="BookStack Mailer") # Application key # Used for encryption where needed. # Run `php artisan key:generate` to generate a valid key. APP_KEY=base64:*** # Application URL # This must be the root URL that you want to host BookStack on. # All URLs in BookStack will be generated using this value # to ensure URLs generated are consistent and secure. # If you change this in the future you may need to run a command # to update stored URLs in the database. Command example: # php artisan bookstack:update-url https://old.example.com https://new.example.com APP_URL=http://bookstack # Database details DB_HOST=localhost DB_DATABASE=bookstack DB_USERNAME=bookstack DB_PASSWORD=*** # Mail system to use # Can be 'smtp' or 'sendmail' MAIL_DRIVER=smtp # Mail sender details MAIL_FROM_NAME="BookStack" MAIL_FROM=bookstack@example.com # SMTP mail options # These settings can be checked using the "Send a Test Email" # feature found in the "Settings > Maintenance" area of the system. # For more detailed documentation on mail options, refer to: # https://www.bookstackapp.com/docs/admin/email-webhooks/#email-configuration MAIL_HOST=localhost MAIL_PORT=587 MAIL_USERNAME=null MAIL_PASSWORD=null MAIL_ENCRYPTION=null APP_DEBUG=true AUTH_METHOD=ldap LDAP_BASE_DN="***" LDAP_DISPLAY_NAME_ATTRIBUTE=cn LDAP_DN="***" LDAP_EMAIL_ATTRIBUTE=mail LDAP_ID_ATTRIBUTE=mail LDAP_PASS="***" LDAP_SERVER=*** LDAP_START_TLS=false LDAP_USER_FILTER=(&(sAMAccountName=${user})) LDAP_GROUP_ATTRIBUTE="memberOf" LDAP_VERSION=3 LDAP_USER_TO_GROUPS=true LDAP_REMOVE_FROM_GROUPS=false LDAP_AUTO_CONFIRM_EMAIL=true LDAP_DUMP_USER_GROUPS=false LDAP_DUMP_USER_DETAILS=false SESSION_LIFETIME=7200 #SESSION_DOMAIN=http://bookstack SESSION_SECURE_COOKIE=false # Adding a single host ALLOWED_IFRAME_HOSTS="*" ``` After changes, make sure to run “php artisan optimize:clear”. I cleared all session cookies, it doesn't work in any browser: not chrome, not firefox. If you can help - it would be great. ### Exact BookStack Version v24.05.4 ### Log Content _No response_ ### Hosting Environment VPS Ubuntu 24.04.1 PHP 8.3.6

OVERLORD added the 🐕 Support label 2026-02-05 09:32:31 +03:00

OVERLORD closed this issue

2026-02-05 09:32:32 +03:00

OVERLORD commented

2026-02-05 09:32:35 +03:00

@ssddanbrown commented on GitHub (Oct 14, 2024):

Hi @antitiron,

Based upon your .env I'm assuming your BookStack instance is served over standard http:// and not https://?

If so, then cookies are getting blocked by common browser security requirements.
When ALLOWED_IFRAME_HOSTS is used, cookies are served with SameSite=None which allows them to work for cross-site requests (since the BookStack instance would be considered third-party when embedded). Browsers require this kind of cookies to be served via https:// with a specific flag (which BookStack will set when the APP_URL is set to start with https://).

@ssddanbrown commented on GitHub (Oct 14, 2024): Hi @antitiron, Based upon your `.env` I'm assuming your BookStack instance is served over standard `http://` and not `https://`? If so, then cookies are getting blocked by common browser security requirements. When `ALLOWED_IFRAME_HOSTS` is used, cookies are served with `SameSite=None` which allows them to work for cross-site requests (since the BookStack instance would be considered third-party when embedded). Browsers require this kind of cookies to be served via `https://` with a specific flag (which BookStack will set when the `APP_URL` is set to start with `https://`).

OVERLORD commented

2026-02-05 09:32:38 +03:00

@antitiron commented on GitHub (Oct 14, 2024):

Yes, inside the LAN, via http://.

Thanks for the reply!

@antitiron commented on GitHub (Oct 14, 2024): Yes, inside the LAN, via http://. Thanks for the reply!

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5000