tobimori
commented
5 days ago Why do you have to use this setup? Shouldn't it work perfectly fine without the / in config.php?
Open lemmon opened 5 days ago
tobimori
commented
5 days ago Why do you have to use this setup? Shouldn't it work perfectly fine without the / in config.php?
lemmon
commented
5 days ago This is a case when Kirby is used as a headless cms. I need all the urls rendered without host accross whole Kirby. Even the documentation says it is fine to use this setup (https://getkirby.com/docs/reference/system/options/url). Well, this messes up Dreamform.
tobimori
commented
5 days ago Yeah, I noticed the documentation, I was just curious.
The issue is the plugin can't really work without this, you do have to "validate" the URL somehow. I can't send a "relative" redirect, the Referer always has to be a full URL. If I allow any URLs if / is set, it could be abused (you could use the forms from my site on your site).
tobimori
commented
5 days ago Do you use the API submission mode when building headless?
lemmon
commented
5 days ago Yeah, I get that there needs to be some kind of protection. Perhaps it could use HTTP_HOST when $site->host() is not present. Should match HTTP_REFERER with such cases.
Think is that the [almost] whole site is headless but forms get embedded into iframes. This is related to #104. Therefore the forms need to work as a regular Kirby. It's kind of a mixed situation.
The Submission Page checks for referer and validates host against Kirby.
https://github.com/tobimori/kirby-dreamform/blob/a843b52bbee1e393a247817d12ba0e9dc3191fe8/classes/Models/FormPage.php#L217
However problem occures when Kirby config url is set to '/'. Hosts obviously don't match and therefore the valid referer is not set.