Hi,
I’m requesting a form at domain-a
from a route at domain-b
and set a csrf token, which will be set in a hidden input in the formsnippet:
[ // Return the snippet with the Form Template
'pattern' => 'path/form',
'method' => 'GET',
'action' => function () use($kirby) {
$sess = $kirby->session();
return Response::json([
'status' => 'ok',
'statusType' => 'template_loaded',
'html' => snippet('forms/formsnippet', ['csrf' => csrf()], true),
], 200);
}],
After filling in the form (domain-a
) and sending it back to the next route at domain-b
, the token doesn’t match anymore, but I actually need the session to process the formdata.
// A form was sent via the front-end from domain-a.
[
'pattern' => 'path/formaction',
'method' => 'POST',
'action' => function () use($kirby) {
$sess = $kirby->session();
$request = $kirby->request();
$body = $request->body();
$fd = $body->toArray();
return Response::json(['status' => 'error', 'statusType' => 'session_expired',
'html' => dump([
'fd[csrf]' => $fd['csrf'],
'CSRF' => csrf(),
], false)
], 200);
//...
]
It works, if both, the form and the routes are living in the same domain.
Do I have to send some special headers when making a fetch request?
Thanks in advance!