Hey! Thanks for your answer @mzur!
I know about this. My case is that the form is rendered via Kirby and included in another website via ESI (via Varnish). So I don’t have any access to that server, nor backend. It’s also different then an iframe I believe; since an iframe actually has some “hot” connection to the webserver, as in my setup it does not.
It’s also not really for sensitive data; it’s for submitting a few fields that then get emailed and are pushed through to another system.
I have a PoC working with your plugin where CSRF can become optional via config. Than it works. Is this something you’ld add to your plugin? It can be helpful for others, and then I don’t always have to patch your plugin upon each update .