0

I have a page on domain A which includes a javascript from from domain B. The script loads a form from domain A with Ajax and posts it back to A.

The form got rejected by Yesod because of missing session variable which resides in a cookie and isn't transmitted on Ajax request because of that.

Can Yesod's session mechanism be made work in such a situation?

Dmitry Vyal
  • 2,347
  • 2
  • 24
  • 24
  • I know there must be a reason for you not doing this, but can't you simply copy JavaScript from site B and host it on A, so that everything resides on A? Submitting forms that require session/cookie data cross domain can be tricky, and some would argue it should never be done for security reasons. – Zak Nov 14 '12 at 20:36
  • I'm writing a system for collecting user feedback from third-party sites. The script and server-side machinery are located on domain B and can't be moved. – Dmitry Vyal Nov 15 '12 at 10:08

1 Answers1

1

I was given an answer by Michael Shoyman, the author of Yesod. The easiest way in my case is to disable CSRF protection for that particular form. There is an api function for that.

http://hackage.haskell.org/packages/archive/yesod-form/1.1.4.1/doc/html/Yesod-Form-Functions.html#v:runFormPostNoToken

Dmitry Vyal
  • 2,347
  • 2
  • 24
  • 24