Re: Embedding form on website without form tag

Josef_Lobotka · ‎05-02-2019

we can't add the id="mktoForm_nnn" to our existing form tag.

You don't have to.

You can add it to a custom attribute, e.g. data-marketo-id="mktoForm_1113".

Then, after the page has fully loaded, you can use JS to pick up the value stored in `data-marketo-id` attribute and pass it to MktoForms2 method loadForm (https://developers.marketo.com/javascript-api/forms/api-reference/). This will return a virtual <form> Object that you can manipulate all you want before you append it into the page (e.g. add the ASP attributes you need to maintain).

Micah_Anglin · ‎05-02-2019

We had a similar problem at our place. We chose send the values, that would eventually go to Marketo, into our existing form. In this case it went into our CRM system. Then with a middleware solution (Vertify), we sent those values from the CRM into Marketo. This has been very reliable for us. We found the embedded/hidden Marketo form submission to be unreliable - which I think was due to issues with Javascript from our CRM front end.

SanfordWhiteman · ‎05-02-2019

We found the embedded/hidden Marketo form submission to be unreliable

Well, a hidden form post using the Forms JS API is a lot more reliable than any back-end integration, which has an inherent DoS vulnerability.

Micah_Anglin · ‎05-02-2019

I like how you quoted half of my sentence. I explained it was due to other javascript on the page. So for our case it is less reliable. To be specific, it was 3rd party JS that we can't modify, which got an error preventing the javascript engine from submitting the Marketo form.

Sandford, if you're not too busy taking people's comments out of context, maybe you have a suggestion for getting around 3rd party code that prevents the javascript engine from executing.

About your point of the inherent DoS vulnerability... the back-end integration is behind our firewall and the APIs are only accessible with network credentials over a VPN. I don't see DoS attacks happening much that way. With 2 forms on a public html page though, that seems like 2x the DoS vulnerability. In my case I have just 1 form submitting, which has to be submitted anyhow.

SanfordWhiteman · ‎05-02-2019

I like how you quoted half of my sentence. I explained it was due to other javascript on the page.

You said "I think" -- so it wasn't out of context. Realize that any FUD, even if just an unintentional suggestion, spreads like wildfire in the Marketo community ("I've heard the form post is unreliable" is something I'll hear from a client for reasons like this).

maybe you have a suggestion for getting around 3rd party code that prevents the javascript engine from executing.

Sure, if you show me the code that was stopping the Forms JS API from working, happy to see if there's a workaround. There may well not be: some stuff is so broken by bad code that you can't plug in good code, that's definitely true.

About your point of the inherent DoS vulnerability... the back-end integration is behind our firewall and the APIs are only accessible with network credentials over a VPN. I don't see DoS attacks happening much that way. With 2 forms on a public html page though, that seems like 2x the DoS vulnerability. In my case I have just 1 form submitting, which has to be submitted anyhow.

Every API-based attempt to simulate a Marketo form post requires 2 REST API calls. You have 50,000 API calls per day shared across all your integrations; that's a maximum of 25,000 pseudo-posts. And hitting your page 25K times in a half-hour (allowing for the API's point-in-time rate limits) is trivial for a mildly curious hacker.

The true Marketo Forms endpoint, in contrast, accepts 30 form posts per minute per source IP, that is 43,200 posts per day per every public IP in the world.