added option to disable CSRF check

RensTillmann · Jan 28, 2022 · e45a645 · e45a645
1 parent f429159
commit e45a645
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 8 deletions.
diff --git a/src/docs/changelog.md b/src/docs/changelog.md
@@ -8,8 +8,9 @@
 
 - [PDF Generator Add-on](https://renstillmann.github.io/super-forms/#/pdf-generator-add-on)
 
-## Jan 27, 2022 - Version 6.0.5
+## Jan 28, 2022 - Version 6.0.6
 
+- **Added:** Option to disable CSRF check under `Super Forms > Settings > Form Settings > Cross-Site Request Forgery (CSRF) check`. This allows a user to submit the form that was loaded via an iframe from a different origin address
 - **Fix:** Regenerate nonce for sites that use cache
 
 ## Jan 26, 2022 - Version 6.0.4

diff --git a/src/includes/class-ajax.php b/src/includes/class-ajax.php
@@ -380,7 +380,16 @@ public static function language_switcher() {
         }
         $csrfValidation = SUPER_Common::verifyCSRF();
         if(!$csrfValidation){
-            $verified = false;
+            // Only check when not disabled by the user.
+            // Some users want to use/load their forms via an iframe from a different domain name
+            // In this case sessions won't work  because of browsers "SameSite by default cookies"
+            $global_settings = SUPER_Common::get_global_settings();
+            if(!empty($global_settings['csrf_check']) && $global_settings['csrf_check']==='false'){
+                // Check was disabled by the user, skip it
+            }else{
+                // Return error
+                $verified = false;
+            }
         }
         if($verified===false){
             SUPER_Common::output_message( 
@@ -2663,10 +2672,19 @@ public static function upload_files() {
     public static function submit_form( $settings=null ) {
         $csrfValidation = SUPER_Common::verifyCSRF();
         if(!$csrfValidation){
-            SUPER_Common::output_message( 
-                $error = true, 
-                esc_html__( 'Unable to submit form, session expired!', 'super-forms' )
-            );
+            // Only check when not disabled by the user.
+            // Some users want to use/load their forms via an iframe from a different domain name
+            // In this case sessions won't work  because of browsers "SameSite by default cookies"
+            $global_settings = SUPER_Common::get_global_settings();
+            if(!empty($global_settings['csrf_check']) && $global_settings['csrf_check']==='false'){
+                // Check was disabled by the user, skip it
+            }else{
+                // Return error
+                SUPER_Common::output_message( 
+                    $error = true, 
+                    esc_html__( 'Unable to submit form, session expired!', 'super-forms' )
+                );
+            }
         }
         $atts = self::submit_form_checks($settings);
         $data = $atts['data'];

diff --git a/src/includes/class-settings.php b/src/includes/class-settings.php
@@ -1344,6 +1344,17 @@ public static function fields( $settings=null, $default=0 ) {
                         '1' => esc_html__( 'Enabled', 'super-forms' ),
                     ),
                 ),
+                'csrf_check' => array(
+                    'hidden' => true,
+                    'name' => esc_html__( 'Cross-Site Request Forgery (CSRF) check', 'super-forms' ),
+                    'desc' => esc_html__( 'If you are loading forms through iframes that have a different origin you will require to disable the CSRF check in order to be able to submit forms. This is not recommended. Only use this if you have no other solution.', 'super-forms' ),
+                    'type'=>'select',
+                    'default' => self::get_value( $default, 'csrf_check', $settings, 'true' ),
+                    'values'=>array(
+                        'true' => esc_html__( 'Enabled (recommended)', 'super-forms' ),
+                        'false' => esc_html__( 'Disabled (not recommended)', 'super-forms' )
+                    ),
+                ),
                 'allow_storing_cookies' => array(
                     'hidden' => true,
                     'name' => esc_html__( 'Allow storing cookies', 'super-forms' ),

diff --git a/src/super-forms.php b/src/super-forms.php
@@ -11,7 +11,7 @@
  * @wordpress-plugin
  * Plugin Name:       Super Forms - Drag & Drop Form Builder
  * Description:       The most advanced, flexible and easy to use form builder for WordPress!
- * Version:           6.0.5
+ * Version:           6.0.6
  * Plugin URI:        http://f4d.nl/super-forms
  * Author URI:        http://f4d.nl/super-forms
  * Author:            feeling4design
@@ -43,7 +43,7 @@ final class SUPER_Forms {
          *
          *  @since      1.0.0
         */
-        public $version = '6.0.5';
+        public $version = '6.0.6';
         public $slug = 'super-forms';
         public $apiUrl = 'https://api.super-forms.com/';
         public $apiVersion = 'v1';