feat: Freeform 5.11

[kjmartens]

Changelog

• feat(SFT-2077): add csrf auto-fetch for all forms, based on craft's async config value

Details

Form-Specific Email Templates

TBD

Form Monitoring Service

TBD

CSRF Token Auto-Fetch

The new auto-fetch mechanism for CSRF tokens for AJAX requests are sent from throughout Freeform, which are then added as X-Craft-Csrf headers to the requests. This new approach works in all scenarios and for cached templates out of the box, so there is no more need to fetch and replace CSRF tokens by yourself for cached pages.

Now the new CSRF auto-fetch mechanism only enables when Craft’s asyncCsrfInputs is set to true. When it is set to false a basic standard hidden input is generated into forms, just like before. When it is set to true the input is never added, and the token is fetched automatically upon request. (There is an exception if the form does not have AJAX enabled. Then the input is still added to the form).

There is a new setting that lets the user pick from two choices:

• One fetches the token Once Per Page View, and reuses it (reduces the amount of additional AJAX requests)
• Second fetches the token Every Time an AJAX request is made by Freeform (makes sure the “unable to verify submission” error never appears, as the token is always fresh).