I'm trying to implement password in an iframe, CSRF issue

There is an API endpoint for getting a custom password reset page URL. It’s the same sort of link you get in a password reset email.

I have in mind to make a password reset page. Using classic login, I can customize the password reset page to be dual-mode. Reset mode for the email, and change mode for an iframe embedded in a user preferences popup modal.

I did all this. Even using window postMessage API to tell the parent page when the password change is complete, however I’m getting error 403:

  1. Request Method:
  2. Status Code:
  1. code: “invalid_csrf_token”
  2. message: “Invalid CSRF token”
  3. name: “CsrfInvalidTokenError”
  4. statusCode: 403

(It’s ok, the token is stale)

  1. _csrf:
  2. ticket:

It’s providing a token, but failing the request.