Safari wrecked our forms!

A wreck on the rocks

One of our long-standing policies at Pro Epic is to host web forms separately from our websites. The main reason is to reduce the attack surface of our customer's sites. Many websites are hacked using exploits or weaknesses in their online forms. We eliminate that risk by hosting our forms on a different domain or sub-domain. That makes it impossible for an attacker to gain access to our customer's website by hacking the contact form, as an example.

 

The form system that we use supports multi-page forms as well as saving a form and coming back later to finish it. The form system sets a cookie in the user's browser to support those functions. The form is embedded in the website using a bit of javascript. The forms are responsive and adjust to the website size, colors, etc. To the user, the form appears to be part of the website.

 

That system has worked flawlessly for us for years, until last week anyway. Last week we were alerted by one of our customers that a page on their webpage was jumping and flashing and was unusable. When we investigated, we could not reproduce the problem. We were only able to reproduce the issue after upgrading our iPad to iPadOS version 13.3.1.

 

The issue only happens with Safari; no other browsers are affected. It only appears on the latest (as of this writing) version of Safari.

 

Here is an example of what we were seeing:

 

 

Several years ago, Apple implemented a feature in the Safari browser called Intelligent Tracking Prevention (ITP). ITP was developed as a way of protecting consumers from overly intrusive third parties that might place tracking cookies in a user's browser. Apparently, Apple now defines "overly intrusive third party" as any website outside of the primary viewing domain. So, if you are viewing a page on www.pro-epic.com and we host our form on splendidforms.com, Safari will not block access to the form, but it will block any cookies from splendidforms.com. Splendidforms.com can't do its job without setting a cookie, so it requests a refresh so it can try again. That is what causes the blinking and jumping around. The page repeatedly refreshes, either in whole or in part.

 

Safari settings for ITP Click to enlargeIf you are a Safari user and you encounter this issue, you can quickly turn off ITP temporarily, do what you need to do with the form, and then turn ITP back on.

We wish it were that easy for website owners and web developers. Safari accounts for about 20% of our traffic. That is too much just to ignore, so we had to come up with some creative solutions.

 

The issue only occurs when a form or other asset that sets a cookie is embedded in a website. We can link to another site containing a form, map, or other application with no problem at all. So we can create either a text link or a linked image easy enough. The link will work the same way for all browsers.

 

A more elegant solution is to use conditional code that will embed a form normally for all browsers except Safari and display a link icon for Safari. It is possible to specify the exact versions of Safari that will display a link or image, but we don't recommend it. That sounds like a maintenance nightmare.

 

An example of the conditional code is available for viewing on our "Get a Free Quote" page at https://www.pro-epic.com/home/get-a-free-quote.html. If you don't have a Mac or an iPad, you can still see how the conditional code works. A linked icon will appear if you view the page in Safari or Firefox. All other browsers will display an embedded form.

 

If we maintain your website and you have discovered this problem, please let us know by filling out the form at this link: https://forms.pro-epic.com/respond/view.php?id=81857 (Yes, we recognize the irony of that request!)

Website Upgrade for QFC Services, LLC
Joomla Updated on January 28, 2020
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Thursday, April 02 2020