Referer is NULL when Kirby URL is '/'

[lemmon]

The Submission Page checks for referer and validates host against Kirby.

kirby-dreamform/classes/Models/FormPage.php

Line 217 in a843b52

if ($site->host() === $path->host()) {

However problem occures when Kirby config url is set to '/'. Hosts obviously don't match and therefore the valid referer is not set.

[tobimori]

Why do you have to use this setup? Shouldn't it work perfectly fine without the / in config.php?

[lemmon]

This is a case when Kirby is used as a headless cms. I need all the urls rendered without host accross whole Kirby. Even the documentation says it is fine to use this setup (https://getkirby.com/docs/reference/system/options/url). Well, this messes up Dreamform.

[tobimori]

Yeah, I noticed the documentation, I was just curious.

The issue is the plugin can't really work without this, you do have to "validate" the URL somehow. I can't send a "relative" redirect, the Referer always has to be a full URL. If I allow any URLs if / is set, it could be abused (you could use the forms from my site on your site).

[tobimori]

Do you use the API submission mode when building headless?

[lemmon]

Yeah, I get that there needs to be some kind of protection. Perhaps it could use HTTP_HOST when $site->host() is not present. Should match HTTP_REFERER with such cases.

Think is that the [almost] whole site is headless but forms get embedded into iframes. This is related to #104. Therefore the forms need to work as a regular Kirby. It's kind of a mixed situation.