Comments (8)
I'm really disappointed by this.
CSP has absolutely no relation to FormKit, and FormKit needs it only for telemetry.
You're trying to sell browser feature as part of the form component library.
from formkit.
Telemetry is the best way we’ve found to make the pro license affordable. If CSP blocks the telemetry it cannot be used.
I have nothing against telemetry, but it does not have to limit CSP.
Main problem here is that telemetry domains are obfuscated and randomized, and including them in the CSP rules is against your license.
Malicious actors who want to write patches to remove telemetry can crack this in a less than five minutes, but you legitimate users are limited to either having less security or paying more money.
I very much like the project, and i want it to be sustainable. But please, think about a ways to use telemetry without randomized domains, so we can legally add your telemetry domain to CSP rules. This ways both parties are happy.
from formkit.
Using FormKit Pro with a blocking CSP is explicitly one of the restrictions of the non-enterprise license.
Use of obfuscated urls is, of course, intentional and there are no plans to change that — sadly there are plenty of bad actors who would write patches to avoid telemetry which is part of the product offering and against our terms. That said, we do plan to try and make it more obvious that those are related to FormKit so there is no confusion or suspicion. We’ll keep that on the todo list.
from formkit.
For now, can i just add those domains to allowed by CSP?
Or is that against the terms?
from formkit.
Btw, found your comment here:
Also — it is worth noting that FormKit Pro "fails-on", in other words, if we don't succeed at the telemetry ping, your forms still work just fine so you never experience any kind of "outage".
This statement is no longer true, right? Because my forms not only stopped working, entire page is stopped working.
Digging slightly deeper, page becomes broken because form fields using pro widgets now undefined and my code expects strings there (and i have default values set to '').
I very much like the project, it's best toolkit for form building out there, and we plan to purchase PRO license when going live. But, if availability of our site depends on third-party domains being available, we should reconsider using PRO :(
But i hope this is indeed an error, and it should not break on failed telemetry pings.
from formkit.
Hi @last-partizan!
For now, can i just add those domains to allowed by CSP?
No — this is against our policy. Even if you allow that specific domain, there are others which we do not plan to publish.
FormKit Pro still fails-on. If requests fail to our URLs due to them not being available, the form will not fail. No form will fail due to failed telemetry pings. There is an explicit exception when the URLs are blocked due to CSP, so that the developer knows they need to procure an enterprise license. To your point earlier, we need to make this even more clear with a message.
If you need to have a strict CSP, you can purchase an Enterprise License!
from formkit.
Sorry to hear you are disappointed, it is understandable. Telemetry is the best way we’ve found to make the pro license affordable. If CSP blocks the telemetry it cannot be used.
To avoid this, enterprise distributions have no telemetry. If this is an issue shoot us an email at [email protected] and perhaps we can chat about it further offline.
from formkit.
Yes, sorry to hear @last-partizan that you are disappointed with our paid add-on. You are still free to use the MIT-licensed FormKit open source, which represents most of the functionality (data flow, architecture, validation, accessibility, open source inputs, schema, Tailwind themes, and plugins).
We want to build FormKit for the long term, which means we need a way to fund its development. If you find a free form component library you like better, feel free to wrap those components with FormKit and you can still reap many of the benefits of the FormKit architecture while staying completely open source, having a strict CSP, and no telemetry. You just need to find a suitable replacement for the Pro components.
Pro allows us to continuously add value to FormKit as a whole and we are very thankful to the customers who find it valuable enough to pay for it. We understand that this unfortunately does not work for every potential customer.
from formkit.
Related Issues (20)
- Regenesis theme dark mode dropdown listbox border radius styles are incorrect
- Mask: Modify Tokens example / functionality is broken
- Using keyboard to navigate outside of current month closes datepicker. HOT 1
- Togglebuttons with multiple attribute returns array of selected strings when on-value is set HOT 3
- Datepicker day cells should probably have user-select set to none in Regenesis. HOT 1
- Slider input with multiple handles glitches when linked inputs are visible and handles cross over eachother
- Datepicker giving `Invalid offset: -00:36.75` in all demos HOT 7
- Bullets are displayed in repeater inside schema HOT 2
- Focus state triggered when setting value programmatically HOT 2
- Add support for border and controls for collapsing the group and list type
- Automatically position datepicker panel wrapper
- Currency input not handling min and max with step of 1000 well.
- [Pro] Slider: Chart breaking after data update
- [pro] pro components not rendering in nuxt project HOT 1
- [Curreny] Option to hide the currency
- Datepicker - Unable to set custom validation message for rule 'invalidDate'
- Improve error message when duplicate keys are detected (in __DEV__) HOT 3
- `datepicker`: Weekdays do not honor locale HOT 2
- Forms remain disabled after rejection of submit handler promise
- Custom classes for text inputs broken HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from formkit.