Re: Form pre-fill for Marketo forms not hosted on Marketo landing pages

Kenny_Elkington
Marketo Employee

Re: Form pre-fill for Marketo forms not hosted on Marketo landing pages

Nevin_Laughlin
Level 1

Re: Form pre-fill for Marketo forms not hosted on Marketo landing pages

Can you add an example to the blog post that shows calling the endpoint with javascript?

I have tried using jQuery and I get a "No Access Control Origin" when asking for json, and if I try with jsonp I get this error 'Uncaught SyntaxError: Unexpected token :' in the response.

Thanks!!

SanfordWhiteman
Level 10 - Community Moderator

Re: Form pre-fill for Marketo forms not hosted on Marketo landing pages

You must not call the REST API directly from the client side. That's even worse than the DoS vulnerability that you create by using the API at all.

Nevin_Laughlin
Level 1

Re: Form pre-fill for Marketo forms not hosted on Marketo landing pages

Thanks a lot for you response.

Dan_Stevens_
Level 10 - Champion Alumni

Re: Form pre-fill for Marketo forms not hosted on Marketo landing pages

Sounds like Kenny Elkington​ should update the blog to ensure users are aware of the risks involved - especially as I'm seeing more and more references to this blog post due to the increased need to use pre-fill on non-Marketo LPs.  Or better yet, update it with a more secure approach.  Just curious, the API call needs to be made for anyone that visits the form page, correct - since there's no way to determine whether or not a lead is KNOWN without doing so.  And then if the call returns values (or doesn't return an error), we know the lead is KNOWN.  Correct?

SanfordWhiteman
Level 10 - Community Moderator

Re: Form pre-fill for Marketo forms not hosted on Marketo landing pages

I would love it if the landscape of supported/suggested technologies could change.

There's a scalable, secure, reliable, yet not officially supported way to accomplish this.  Unfortunately, I doubt I could get Marketo proper to agree that this is the way so I don't describe it here. It would appear to be a hack (I call it elegant!) compared to the seemingly intuitive API method, but the problem is the API method really isn't ready for prime time.

And yep, the first reason (though not the only one) that the API-based solution is such a tasty invitation for a DoS attack is that you're expending API calls even when the lead is anonymous. To avoid this, you can use hidden form with Known Lead HTML enabled to determine if the lead is known (or you could call an undocumented endpoint directly, but I won't advise that here). But honestly that just improves the scalability for non-malicious situations.  Once someone is trying to hack you this won't make a difference.

Anonymous
Not applicable

Re: Form pre-fill for Marketo forms not hosted on Marketo landing pages

For one customer, I did use jquery code on the external form communicate with custom pho using REST API on the server using JSON objects. 

Rajesh