Laravel TokenMismatchExpection When Posting From Inside An Iframe

I have a page running on This page have an iframe. The iframe source/contains a Laravel 5.2 base application.

My Laravel page URL "which is the source of the iframe" is has a form with a submit button. When a use clicks it, he/she hits another route on the same domain i.e.

But every time, I submit the form I get the following exception

TokenMismatchException in VerifyCsrfToken.php line 67:

To make sure I am clear, on the page my code looks something like this

on my laravel App which is located on here is my form

    <form method="POST" action="" accept-charset="UTF-8" class="form">
<input name="_token" type="hidden" value="Dk6SN4WzO4brbvdnBO6JZ7e1lBGjmYz8GQJ1lYFo">
<input name="survey_id" type="hidden" value="10">
<input name="call_id" type="hidden" value="667">
<input name="pools" type="hidden">

<input name="alt_id_1" type="hidden" value="250">
<input name="alt_id_2" type="hidden" value="5">
<input name="alt_id_3" type="hidden">
<input name="alt_id_4" type="hidden">
<input name="alt_id_5" type="hidden">
<input name="alt_id_6" type="hidden">
<input name="alt_id_7" type="hidden">
<input name="alt_id_8" type="hidden">
<input name="alt_id_9" type="hidden">
<input name="alt_id_10" type="hidden">

<input name="alt_string_1" type="hidden">
<input name="alt_string_2" type="hidden">
<input name="alt_string_3" type="hidden">
<input name="alt_string_4" type="hidden">
<input name="alt_string_5" type="hidden">
<input name="alt_string_6" type="hidden">
<input name="alt_string_7" type="hidden">
<input name="alt_string_8" type="hidden">
<input name="alt_string_9" type="hidden">
<input name="alt_string_10" type="hidden">

<div class="text-center"> 
    <input class="btn btn-primary" type="submit" value="Start Survey">


The form works perfectly outside of the iframe. The problem only happens when I am inside the iframe.

I opened the VerifyCsrfToken class located in App\Http\Middleware and added into the $except array which did not fix the problem.

protected $except = [

What could be causing this issue? How can I correct the problem?

Edited, Here is my template

{!! Form::open([
                'url' => route('my.surveys.display'),
                'class' => 'form',
                'method' => 'post'
                ]) !!}
{!! Form::hidden('survey_id', $survey_id) !!}
{!! Form::hidden('call_id', $call_id) !!}
{!! Form::hidden('pools', $pools) !!}
{!! Form::hidden('call_type', $type) !!}

{!! Form::hidden('alt_id_1', $alt_id_1) !!}
{!! Form::hidden('alt_id_2', $alt_id_2) !!}
{!! Form::hidden('alt_id_3', $alt_id_3) !!}
{!! Form::hidden('alt_id_4', $alt_id_4) !!}
{!! Form::hidden('alt_id_5', $alt_id_5) !!}
{!! Form::hidden('alt_id_6', $alt_id_6) !!}
{!! Form::hidden('alt_id_7', $alt_id_7) !!}
{!! Form::hidden('alt_id_8', $alt_id_8) !!}
{!! Form::hidden('alt_id_9', $alt_id_9) !!}
{!! Form::hidden('alt_id_10', $alt_id_10) !!}

{!! Form::hidden('alt_string_1', $alt_string_1) !!}
{!! Form::hidden('alt_string_2', $alt_string_2) !!}
{!! Form::hidden('alt_string_3', $alt_string_3) !!}
{!! Form::hidden('alt_string_4', $alt_string_4) !!}
{!! Form::hidden('alt_string_5', $alt_string_5) !!}
{!! Form::hidden('alt_string_6', $alt_string_6) !!}
{!! Form::hidden('alt_string_7', $alt_string_7) !!}
{!! Form::hidden('alt_string_8', $alt_string_8) !!}
{!! Form::hidden('alt_string_9', $alt_string_9) !!}
{!! Form::hidden('alt_string_10', $alt_string_10) !!}

<div class="text-center"> 
    {!! Form::submit('Start Survey', ['class' => 'btn btn-primary', 'id' => 'start_survey']) !!}


Given the details that you provide in the original question, it seems that Laravel is behaving exactly as it should when refusing to allow you to submit the form.

The user-agent is browsing to and POSTing the form to, via an iframe. If I'm not mistaken, this is precisely the behavior that CSRF tokens are designed to prevent.

This question may even be a duplicate of Laravel 5 TokenMismatchException only in iFrame . I concur with the accepted answer there.

If this is an internal site and you're willing to accept the associated risks, you may add an exception for the route to which you are POSTing, as described in the above-cited answer.