$_POST data disappeared (from another domain) => no solutions

MialaProg · March 9, 2024, 10:39am

Error Message

When I validate a form from another domain, the _POST data disappeared. How can I send this data ? PS: Sometimes this data are big so I can’t use GET.

Other Information

How can I send data from another domain to my website ?

Greenreader9 · March 9, 2024, 2:35pm

Using an HTML form?

Can you share the front end and backend code you have?

MialaProg · March 9, 2024, 2:49pm

Front:

function sendToServer(playlist_txt, listID, nb) {
    // Créez un formulaire dynamiquement
    var form = document.createElement('form');
    form.method = 'POST';
    form.action = 'https://yt.mi.42web.io/add.php';

    // Ajoutez les champs et leurs valeurs
    var champ1 = document.createElement('input');
    champ1.type = 'hidden';
    champ1.name = 'playlist';
    champ1.value = playlist_txt;
    form.appendChild(champ1);

    var champ2 = document.createElement('input');
    champ2.type = 'hidden';
    champ2.name = 'nb';
    champ2.value = nb;
    form.appendChild(champ2);

    var champ3 = document.createElement('input');
    champ3.type = 'hidden';
    champ3.name = 'listID';
    champ3.value = listID;
    form.appendChild(champ3);


    var champ4 = document.createElement('input');
    champ4.type = 'hidden';
    champ4.name = 'name';
    champ4.value = document.title;
    form.appendChild(champ4);

    document.body.appendChild(form);
    form.submit();
}

Back:

var_dump($_POST);

Return:
array(0) => {}

Ziverre · March 9, 2024, 3:34pm

You need to investigate if the javascript code even works at the first place.

Admin · March 9, 2024, 3:47pm

CORS might be an issue when trying to post things to a different domain. A Content Security Policy might also prevent it. Finally, free hosting has a security system that blocks many cross domain things: Ensuring only web browsers can access your website

And that’s all assuming your code is correct. Because I’ve personally never thought of using DOM manipulation to construct a POST request.

The first thing I would do is to open the Network tab in my browser’s Developer Tools to make sure that:

The POST request is actually being sent.
The POST parameters are set correctly.
No additional redirects occur between submitting the form and hitting the PHP code on the other hand (POST data is not submitted again if the first request returns a redirect).

MialaProg · March 9, 2024, 4:20pm

Post data are correctly send but after the ?i= redirection, there are not re-send… -_- It’s sad because this security system limit our possibilities… Is there any way to the server re-send the post data after a ?i= redirection ?

Admin · March 9, 2024, 4:28pm

I don’t think so. I can’t think of any workaround to this particular issue that could be applied here.

To make your project succeed, I can offer a few suggestions:

Consider getting rid of all the different subdomains. There is technically very little reason to have them, and as you’re experiencing, there are downsides to splitting stuff across domains.
If you do need to share data among subdomains on the same account, consider using a MySQL database for that. You can submit the data from one subdomain to the database and read from that same data from another subdomain without any problems.

MialaProg · March 9, 2024, 4:33pm

How the security system makes the difference between a request from the same domain and a request from another domain ? Because maybe with a chrome extension we can say to the server “hey ! It’s ok ! I’m from the same domain”

Greenreader9 · March 9, 2024, 4:50pm

Because that’s how CORS works. A policy is defined at a single protocol://domain :port

https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header

https://fetch.spec.whatwg.org/#cors-protocol-and-credentials

Admin · March 10, 2024, 10:12am

It works through cookie isolation. When you first visit any site hosted here, the security challenge will set a cookie in your browser valid for that specific domain. So if you are viewing mi.42web.io, then the cookie will only be valid for mi.42web.io. If you then try to navigate to yt.mi.42web.io, then the same cookie is not sent, and the security challenge is presented again.

I’m not familiar with the exact APIs available to browser extensions and if you can copy cookies between domains. Maybe it’s possible, but having to use a browser extension so you can spread a website across multiple subdomains seems like a pretty impractical and cumbersome solution to me.

Frank419 · March 10, 2024, 10:35am

It’s possible between a base domain and a subdomain.
It’s also possible to copy cookies between different base domains, but that’s diasbled by modern browsers by default, and Chrome is dropping support for it in the latest version.

system · March 17, 2024, 10:36am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.