Fixing Contact Form 7 Redirection Referrer Failure with IE

On a client WordPress site, we wanted to use Contact Form 7 to grab visitor information and redirect them to an inner page after submission. To make sure they filled out the submission form, the destination page checked the referrer to make sure they came from the form page. Now, there are other ways of doing this, like setting cookies, but this method was good enough for the client.

So this all worked in Chrome and Firefox, but not Internet Explorer.

Shocking.

The Contact Form 7 blog has instructions on how to redirect users to a different page after a successful submission. Under Additional Settings, simply do this:

on_sent_ok: “location=’http://www.fubar.com/thanks’;”

The on_sent_ok is a Javascript hook. Inside of scripts.js in the plugin, it eventually makes this call:

if (data.onSentOk) $.each(data.onSentOk, function(i, n) { eval(n) });

So “location=’http://www.fubar.com/thanks’;” gets evaluated by Javascript and the page redirects. Great.

On the destination page, we were checking the referrer to verify they were coming from the form, here is an example of how you could do it:

/* Set where they should be redirected to if user didn’t come from the form */$redirectString = “Location: “. get_site_url() . “/contactform”;

$referrer = $_SERVER[‘HTTP_REFERER’];

if ($referrer == NULL){ header($redirectString); exit();}else{ $domain = parse_url($referrer); $pos = strpos ($domain[“path”], “contactform”); if ($pos == false) { header($redirectString); exit(); }}

Now, your PHP should be cleaner, more error checking, check for XSS, don’t hard-code anything, etc, etc.

The problem was that the referrer would always be null when the visitor was using Internet Explorer. Referrer isn’t required to be set by the browser. Browsers won’t set it if you started out on a HTTPS site but click on a non-secure link.

And IE won’t set it on redirection, but it will set it if you click on a link. So if a fake a link click, IE will set the referrer.

Lets create a Javascript function to fake a link click. This code is stolen from Stack Overflow:

function goTo(url){ var a = document.createElement(“a”); if (a.click) { // HTML5 browsers and IE support click() on <a>, early FF does not. a.setAttribute(“href”, url); a.style.display = “none”; document.body.appendChild(a); a.click(); } else { // Early FF can, however, use this usual method // where IE cannot with secure links. window.location = url; }}

Ok. Remember, the Contact Form 7 redirection is a Javascript hook. So now we change the on_sent_ok to call the goTo function instead:

on_sent_ok: “goTo(‘http://www.fubar.com/thanks’);”

Bam. Done.