I am currently developing a lightweight application, a key feature of which is an iframe widget. This widget, designed to collect basic information (name and email) via a simple form, is intended for embedding across various websites, the domains of which may not be known in advance.
The primary challenge I’m facing involves the secure submission of data. My initial implementation employs a POST request for data transmission. However, this approach triggers a ‘419 page expired’ error upon form submission from a domain outside of the widget’s origin.
Considering the switch to a GET request raises security and data integrity concerns, making me hesitant to adopt this method without fully understanding its implications or exploring other viable alternatives.
Therefore, I am reaching out to this knowledgeable community for guidance on the most secure and efficient method for handling data submissions from this embeddable form widget. Specifically, I am interested in:
Recommendations for securely accepting data through the widget, especially when operating across unknown domains.
Insights into resolving the ‘419 page expired’ issue associated with POST requests from external domains.
The potential security implications of switching to a GET request for data transmission in this context.
Additionally, I am contemplating a feature requiring users to specify their domain before the widget generation. I am curious if incorporating this pre-configuration step could enhance security or circumvent the current challenges.
Any advice or suggestions based on experience or expertise in this area would be greatly appreciated.