Can Catalytic capture and validate the domain of the site used to access an embedded webform?
If I have a webform embedded on a website can Catalytic capture the domain of the website the user was on when they clicked to access the webform? This way we know the person accessed the webform on the site which requires authentication to get into? Ideally this would be something we can return via an API call and have a field to base action conditions off of if the domain meets the requirement.
Additionally, can Catalytic reject automatically the person from accessing the webform if the domain of their website doesn't meet a specific site?
Best Answer
-
@Jacob_180056 there is currently no mechanism to accomplish that type of goal. From a higher level, the "Referer" (sic) [1] could theoretically be used in a feature request to give something similar to this behavior. However, that is not a strong guarantee as to the origin of the client. The header can be easily spoofed in order to "pretend" the user has access (if the user knows the whitelisted site that requires authentication, even if s/he did not actually have access).
The best way to get security guarantees against potential sharing of a webform link would be to use a manual task and require a catalytic account.
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer
5
Answers
-
@Jacob_180056 I'm not sure if there's a method to do exactly what you're describing. But if your goal is to protect a webform from being submitted unless someone accesses the webform from a particular link, the approach I would recommend is to auto-populate a field with a URL.
1. Construct the url on the source page include a code that could get populated into a field on the webform.
2. In the form, use field validation to prevent the form from being submitted if the code is invalid
3. Use field conditions to hide the rest of the form if the code is invalid and instead display a message that this is only for the intended audience.0 -
@Jeff_146001 Thanks for the feedback.
The specific use case I have is not accessing the form from a specific link . In this case we want to see if Catalytic can identify and pass through which site someone was on when clicking the form link. Since webform trigger urls are public, anyone could copy and paste the auto-populated url which does not meet this inquiry's need. I will submit a possible product feature for this.0
