Form Block: insecure endpoint (Chrome)

  • Resolved Inge Reck

    (@ingereck)


    3 months, 3 weeks ago

    Providing an email address in the ‘EMAIL FOR FORM SUBMISSIONS’ field, shows a warning in Chrome:
    This form is not secure. Autofill has been turned off.

    In Chrome Console:

    preact.module.js:1 Mixed Content: The page at ‘https://mydomain.com/’ was loaded over a secure connection, but contains a form that targets an insecure endpoint ‘mailto:[email protected]’. This endpoint should be made available over a secure connection.

    The warning disappears when I remove the my email address and ‘mailto:’ in SUBMISSIONS METHOD: custom > Advanced > FORM ACTION

    Leaving the field ‘EMAIL FOR FORM SUBMISSIONS’ empty, does not ‘default to site admin‘. https://github.com/WordPress/gutenberg/issues/44186#issuecomment-1659926336

    I have the Post SMTP plugin installed and email log status is: ‘No recipient forward path has been supplied.‘ Deactivating the Post SMTP plugin, does not change the behaviour.

    Is there a fix to this?

    • This topic was modified 3 months, 3 weeks ago by Inge Reck.

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator mizantium

    (@janmtm)

    Hi @ingereck !

    Can you share a detailed breakdown of each step you took before seeing the error you mentioned ?

    Also, what are the themes and/or plugins active on the site when you first experience/d this issue ?

    If you are able to share a screenshot showing the error message, this will also be hugely helpful for understanding what you’ve run into.

    Moderator mizantium

    (@janmtm)

    Hi @ingereck !

    As you haven’t written back with an update in over a month, it’ll be assumed that your issue is resolved for now.

    Please do write back and reopen if this isn’t the case.

    In the ‘view.js’ for the block of /wp-content/plugins/build/block-library/blocks/form, it does:

    document.querySelectorAll('form.wp-block-form').forEach(function (form) {
    // Bail If the form is not using the mailto: action.
    if (!form.action || !form.action.startsWith('mailto:')) {
    return;
    }

    so indeed it forces an action of mailto: or it won’t post.

    The insecure… an https site cannot use mailto: (tons of posts online about this).

    I believe this is a false check above, we don’t really want mailto (e.g. opening the mailer), we want http post.

    Moderator mizantium

    (@janmtm)

    Hi @ingereck !

    Thank you for clarifying further. This is an experimental block, and so I would have redirected you to ask about this at the Github issue, but I see that you’ve found it and asked there. Thank you for doing so.

    When this was activated at Gutenberg → Experiments, the advisory was “Test new blocks to allow building forms (Warning: The new feature is not ready. You may experience UX issues that are being addressed)”

    You may share your screenshots and more details about your specific context and scenario as well, to aid the discussion.

    Thread Starter Inge Reck

    (@ingereck)

    @donbowman

    Thank you for pointing me to this. I agree. As per my understanding mailto: does not send form data encrypted.

    Thread Starter Inge Reck

    (@ingereck)

    Thank you @janmtm. Yes, I will follow-up on GitHub

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.