I have to import a html form from a different domain and embed it inside the original domain.
Domain example.com calls example.de and gets back a snipped, that is embedded inside the html of example.com. This snipped is a form with fields and a csrf token.
To get the form with the correct session (jsessionid) I use
fetch(_this.getFormUrl(id, _this.config.promotionCode),{ credentials: 'include'})
this works fine.
When I now submit the form (normal submit button) the jsessionid is not send to server.
The following headers are set:
Access-Control-Allow-Credentials true
Access-Control-Allow-Headers: csrftoken, content-type
Access-Control-Allow-Methods: POST, GET, OPTIONS
The form looks like:
<form id="addToCartForm" daction="https://example.com/cart/add" method="post">
<input type="hidden" name="productCodePost" value="code">
<button type="submit"/>
<input type="hidden" name="CSRFToken" value="667336fa-0996-40e1-aed9-a0c149a28fb5">
</form>
I did not find any hint on how to change the default behavior of the browser to include the jsessionid.
Why this concept?
We have two applications and one needs to import the add to cart feature. This has tons of businesses logic and is not easy to recreate. The easiest was to render the html from the shopping solution and use the default post to a controller. Now the Domains changed and we have this challenge.