Form Pre-Fill Enabled for Form Embed Codes

Anonymous · ‎07-28-2016

I would like to see the form pre-fill option enabled when using a form embed code on Marketo landing pages. The landing page editor form widget has absolute positioning therefore it doesn't allow to optimize the page for any desktop browser size. Having this feature allows us to style the landing page and form however we want to ensure it is optimized for any desktop or mobile screen. I understand that it won't work on external web pages, but it should be able to pre-fill a lead's information on a Marketo hosted landing page.

Someone else had the same issue here: Form NOT prefilling!

Justin_Cooperm2 · ‎07-28-2016

I've posted this a few times, but here's why this is the case:

For prefill to work on embedded forms, it requires a publicly accessible API that retrieves lead information, which can include personally identifying information such as email addresses, mailing addresses, names, and phone numbers. For us to make enable prefill on embedded forms in a responsible manner, we need to make certain that the API is created in such a way that it’s acceptably protected from brute force attacks that could allow an attacker to retrieve information about all leads by guessing Marketo cookie values, as well as making certain that the API doesn’t expose leads to XSS (cross-site script) attacks that could be used by an attacker to steal a lead’s info when they visit the attacker’s site.

SanfordWhiteman · ‎07-28-2016

I agree completely with Justin's/Marketo's take here re: embedded forms on 3rd-party sites. (There's a simple and secure workaround that I use, but that's neither here nor there.)

But that's not really your question. It wounds like you're using Free-Form LPs and that's why you're saying "the landing page editor form widget has absolute positioning." Switch to Guided LPs and you won't have this problem.

If you must use Free-Form (I recommend forming a migration plan) you can get PreFill there, too. All you need to do is create the PreFill object using tokens:

MktoForms2.whenReady(function(form){
  form.setValuesCoerced({
         "Email" : decodeURIComponent("{{Lead.Email Address}}"),
         "FirstName" : decodeURIComponent("{{Lead.First Name}}"),
         "LastName" : decodeURIComponent("{{Lead.Last Name}}")
  });
});

Anonymous · ‎07-29-2016

Thanks Sanford for your advice. My web developer has decided to try out the guided landing page template. Hopefully that works for us. We only use form pre-fill and Marketo landing pages for our subscription center so leads can see what email is subscribed and what topics they are currently subscribed to. That is probably why we just came across this issue and we were surprised to find out that this feature is not possible on a Marketo landing page.

We still hope that this will be possible in the future.

Anonymous · ‎07-29-2016

Hi Justin - Thanks for that explanation. It makes complete sense and we didn't know that was the case. Is this possible in the future if a secure public API is created? Or is it simply impossible to create a secure public API?

SanfordWhiteman · ‎07-29-2016

But as I explained, it *is* already possible even on a Free-Form LP using the tiny bit of code I provided (add it to an HTML element).

If you're using Marketo LPs, there is never any restriction on accessing lead token values. Even if you choose to use a totally 3rd-party form on a Marketo LP, that too becomes PreFill-capable, since you have all tokens at your disposal.

As for creating an acceptably secure cross-domain API, the real question is not whether it is possible (it is, and I have done it) but whether the typical Marketo user -- who is not technically fluent w/r/t domain names and not super-comfy looking at raw HTML or JS -- would be alienated by a couple of extra config steps when adding a form to an outside site. That is, would anything beyond pure copy-and-paste be a barrier to usage, even if it's just adding a domain to a textbox in the Admin section? Hard to know. I *do* know that ostensibly more technical users have, without thinking, built exactly the nightmarish scenario Justin describes, where any 3rd-party site that can get someone to provide their email can promptly read (selected) lead fields for that lead out of your Mkto instance, in essence having the lead hack themselves without knowing it.

Anonymous · ‎08-04-2016

Hi Sanford,

Do you have a link or an example of how you got an embedded form on a 3rd party site/CMS to have prefill capabilities while still being relatively safe to hackers?

SanfordWhiteman · ‎08-04-2016

I'll blog about it when I have room to breathe.

Anonymous · ‎10-10-2016

Hi Sanford,

My web team and I intrigued by the prospect of a secure workaround for getting pre-fill enabled on Marketo forms hosted on our website. We thought of getting creative with the public API, but based on the position of Marketo mentioned above, that doesn't seem like a legally acceptable option.

If you have time for a call or if you ever produced the blog you mentioned earlier, I would love to pick your brain on this.

Justin_Cooperm2 · ‎10-10-2016

Matt,

It's definitely possible to implement this securely using our API. Just takes some manual effort + coding. Sanford will definitely know how to help.

Justin

kh-lschutte · ‎02-06-2020