Is it actually making any sense to figure out how to do CSRF tokens via an AJAX submitted form from another domain to Kirby? The more I think about it, the more it seems impossible to exchange tokens via a session or similar from the server to the client as it’s on another domain.
pinging @mzur here as well, as he’s very knowledgeable about this topic and I’m having issues setting this up via his plugin.
Would it be an option to have a uniform helper method ->withoutCSRF() that doesn’t perform this check then? I can PR if you want…
Since I would like to use uniform; I’ld like to be able to not check for CSRF tokens there then (which is currently not the case)? But that’s more of a uniform issue then a Kirby issue then, right?
I’m not sure if it’s a good idea to POST form data in a cross-domain request. The CSRF token is intended explicitly to prevent this. If you implement some method or disable some check to allow such a request, you automatically open up your website to all the CSRF attacks there are.
An alternative implementation could use the webhook action and a secret authentication token to post the data from the backend of you original domain to the backend running at the “cross”-domain. Something like this: Form on site A → AJAX POST request protected by CSRF token → Backend of site A → Webhook POST request protected by secret authentication token → Backend of site B. You could possibly use an iframe, too, but I have no experience with that.
I know about this. My case is that the form is rendered via Kirby and included in another website via ESI (via Varnish). So I don’t have any access to that server, nor backend. It’s also different then an iframe I believe; since an iframe actually has some “hot” connection to the webserver, as in my setup it does not.
It’s also not really for sensitive data; it’s for submitting a few fields that then get emailed and are pushed through to another system.
I have a PoC working with your plugin where CSRF can become optional via config. Than it works. Is this something you’ld add to your plugin? It can be helpful for others, and then I don’t always have to patch your plugin upon each update .