FormKit PRO stops working when CSP is enabled about formkit HOT 8 CLOSED

I'm really disappointed by this.

CSP has absolutely no relation to FormKit, and FormKit needs it only for telemetry.

You're trying to sell browser feature as part of the form component library.

from formkit.

Telemetry is the best way we’ve found to make the pro license affordable. If CSP blocks the telemetry it cannot be used.

I have nothing against telemetry, but it does not have to limit CSP.

Main problem here is that telemetry domains are obfuscated and randomized, and including them in the CSP rules is against your license.

Malicious actors who want to write patches to remove telemetry can crack this in a less than five minutes, but you legitimate users are limited to either having less security or paying more money.

I very much like the project, and i want it to be sustainable. But please, think about a ways to use telemetry without randomized domains, so we can legally add your telemetry domain to CSP rules. This ways both parties are happy.

from formkit.

Using FormKit Pro with a blocking CSP is explicitly one of the restrictions of the non-enterprise license.

Use of obfuscated urls is, of course, intentional and there are no plans to change that — sadly there are plenty of bad actors who would write patches to avoid telemetry which is part of the product offering and against our terms. That said, we do plan to try and make it more obvious that those are related to FormKit so there is no confusion or suspicion. We’ll keep that on the todo list.

from formkit.

For now, can i just add those domains to allowed by CSP?

Or is that against the terms?

from formkit.

Btw, found your comment here:

https://www.reddit.com/r/vuejs/comments/xxbfzv/comment/itcnx6l/?utm_source=reddit&utm_medium=web2x&context=3

Also — it is worth noting that FormKit Pro "fails-on", in other words, if we don't succeed at the telemetry ping, your forms still work just fine so you never experience any kind of "outage".

This statement is no longer true, right? Because my forms not only stopped working, entire page is stopped working.

Digging slightly deeper, page becomes broken because form fields using pro widgets now undefined and my code expects strings there (and i have default values set to '').

I very much like the project, it's best toolkit for form building out there, and we plan to purchase PRO license when going live. But, if availability of our site depends on third-party domains being available, we should reconsider using PRO :(

But i hope this is indeed an error, and it should not break on failed telemetry pings.

from formkit.

Hi @last-partizan!

For now, can i just add those domains to allowed by CSP?

No — this is against our policy. Even if you allow that specific domain, there are others which we do not plan to publish.

FormKit Pro still fails-on. If requests fail to our URLs due to them not being available, the form will not fail. No form will fail due to failed telemetry pings. There is an explicit exception when the URLs are blocked due to CSP, so that the developer knows they need to procure an enterprise license. To your point earlier, we need to make this even more clear with a message.

If you need to have a strict CSP, you can purchase an Enterprise License!

from formkit.

Sorry to hear you are disappointed, it is understandable. Telemetry is the best way we’ve found to make the pro license affordable. If CSP blocks the telemetry it cannot be used.

To avoid this, enterprise distributions have no telemetry. If this is an issue shoot us an email at [email protected] and perhaps we can chat about it further offline.

from formkit.

Yes, sorry to hear @last-partizan that you are disappointed with our paid add-on. You are still free to use the MIT-licensed FormKit open source, which represents most of the functionality (data flow, architecture, validation, accessibility, open source inputs, schema, Tailwind themes, and plugins).

We want to build FormKit for the long term, which means we need a way to fund its development. If you find a free form component library you like better, feel free to wrap those components with FormKit and you can still reap many of the benefits of the FormKit architecture while staying completely open source, having a strict CSP, and no telemetry. You just need to find a suitable replacement for the Pro components.

Pro allows us to continuously add value to FormKit as a whole and we are very thankful to the customers who find it valuable enough to pay for it. We understand that this unfortunately does not work for every potential customer.

from formkit.