success / thank-you page redirection issue in cross domain. | Community
Skip to main content
June 24, 2026
Question

success / thank-you page redirection issue in cross domain.

  • June 24, 2026
  • 2 replies
  • 95 views

Consider We have a Form Page: https://www.abc.com/in/en/home/form.html which is loaded using iframe into Domain Page: https://www.xyz.com/sg/en/home/test.html.
Domain: www.abc.com, https://www.xyz.com both are of using separate AEM environment.

Issue:
When we submit the form on this Page: https://www.abc.com/in/en/home/form.html and validated the google recaptcha, it successfully redirects to the thank-you page. But when we try to submit the above form Page which is loaded in iframe in Domain: https://www.xyz.com/sg/en/home/test.html after validating the google recaptcha successfully it is not redirecting to the thank you page and also thank-you page not loads in the iframe on the Page: https://www.xyz.com/sg/en/home/test.html. 

Other Information:
For Page: https://www.abc.com/in/en/home/form.html we do have a redirection logic in the servlet to redirect to the thank-you page after successful google recaptcha validation. We are getting the logger statements as well for servlet in this scenario. But when the same form Page is referenced using iframe and form is submitted in the Page: https://www.xyz.com/sg/en/home/test.html the servlet is not getting triggered and thank-you page redirection is also not happening. We do have the same redirection logic in forward.jsp as well but this also not works on the Page : https://www.xyz.com/sg/en/home/test.html. 
 

Can you please suggest the solution to fix the issue? 

2 replies

ChitraMadan
Community Advisor
Community Advisor
June 24, 2026

Hi ​@VishnuVardhan23 ,

The reCAPTCHA callback or submit handler might be throwing a SecurityError trying to touch window.top, parent.location, or parent.document  in the console.

Don't let the iframed page touch the parent directly. Use postMessage instead.

In the form page (abc.com), replace any direct parent/top access with:

 

// Instead of: window.top.location.href = thankYouUrl;
window.parent.postMessage({ type: 'FORM_SUBMIT_SUCCESS', redirectUrl: thankYouUrl }, 'https://www.xyz.com');

In the domain page (xyz.com), listen for it and redirect the iframe (or the whole page):

 

window.addEventListener('message', function(event) {
if (event.origin !== 'https://www.abc.com') return;
if (event.data.type === 'FORM_SUBMIT_SUCCESS') {
document.getElementById('yourIframeId').src = event.data.redirectUrl;
// or window.location.href = event.data.redirectUrl; if you want full-page redirect
}
});

OR

 

AEM's CSRF token cookie or session cookie is SameSite=Lax/Strict, so it's not sent on the cross-site request from inside the iframe.

Set the cookie to SameSite=None; Secure on abc.com's CSRF/session cookie so it's sent in third-party iframe context. This usually needs a config change in AEM's CSRF filter / dispatcher or wherever the cookie is issued.

 

Thanks,

Chitra

lavishvasuja
Level 4
July 12, 2026

@VishnuVardhan23  -

This appears to be more related to the browser's cross-origin iframe security model than AEM itself, since the form works as expected when accessed directly.

I'd first check:

  • Whether the form submission request is reaching the servlet (Browser Network tab).

  • The browser Console for any CORS, CSP, X-Frame-Options/frame-ancestors, SameSite cookie, third-party cookie, or SecurityError messages.

  • Whether Google reCAPTCHA behaves differently inside a cross-domain iframe.

  • If the redirect logic uses window.top, parent.location, or parent.document, direct access to the parent window may be restricted in a cross-origin iframe. In that case, window.postMessage() is the recommended approach for communicating with the parent page and handling the redirect.

  • Also verify whether the required session/CSRF cookies are being sent in the iframe context, as cookies configured with SameSite=Lax or Strict won't be included in a cross-site iframe.

If the servlet is never invoked when the page is embedded in the iframe, it suggests the issue is occurring before the request reaches the servlet. The Network and Console logs should help narrow down the root cause before making any code or configuration changes.