I have a need to add a custom header — e.g. `X-My-Custom-Header: my-header-value` — to the POST request sent by a marketo embed on a third-party website. The header is needed by a security layer that we have protecting the subdomain used by our marketo instance.
Has anyone ever tried something like this? Any creative javascript solution for intercepting/injecting the header into the POST request?
Solved! Go to Solution.
This seems kind of silly from a security standpoint? If it’s a static value that you add to every form post, a malicious person can just see the header on your site and send it themselves using a crafted POST. (This is a general reality with marketing forms: you can’t add meaningful authentication layers to them, because by definition they’re on public pages.)
In any case, yes, it is possible if you point to a custom XDFrame. As long as nobody is thinking “our forms are protected against forgery now”.
This seems kind of silly from a security standpoint? If it’s a static value that you add to every form post, a malicious person can just see the header on your site and send it themselves using a crafted POST. (This is a general reality with marketing forms: you can’t add meaningful authentication layers to them, because by definition they’re on public pages.)
In any case, yes, it is possible if you point to a custom XDFrame. As long as nobody is thinking “our forms are protected against forgery now”.