success / thank-you page redirection issue in cross domain. | Community
Skip to main content
V
VishnuVardhan23
June 24, 2026
Question

success / thank-you page redirection issue in cross domain.

  • June 24, 2026
  • 1 reply
  • 0 views

Consider We have a Form Page: https://www.abc.com/in/en/home/form.html which is loaded using iframe into Domain Page: https://www.xyz.com/sg/en/home/test.html.
Domain: www.abc.com, https://www.xyz.com both are of using separate AEM environment.

Issue:
When we submit the form on this Page: https://www.abc.com/in/en/home/form.html and validated the google recaptcha, it successfully redirects to the thank-you page. But when we try to submit the above form Page which is loaded in iframe in Domain: https://www.xyz.com/sg/en/home/test.html after validating the google recaptcha successfully it is not redirecting to the thank you page and also thank-you page not loads in the iframe on the Page: https://www.xyz.com/sg/en/home/test.html. 

Other Information:
For Page: https://www.abc.com/in/en/home/form.html we do have a redirection logic in the servlet to redirect to the thank-you page after successful google recaptcha validation. We are getting the logger statements as well for servlet in this scenario. But when the same form Page is referenced using iframe and form is submitted in the Page: https://www.xyz.com/sg/en/home/test.html the servlet is not getting triggered and thank-you page redirection is also not happening. We do have the same redirection logic in forward.jsp as well but this also not works on the Page : https://www.xyz.com/sg/en/home/test.html. 
 

Can you please suggest the solution to fix the issue? 

1 reply

ChitraMadan
Community Advisor
ChitraMadanCommunity Advisor
Community Advisor
June 24, 2026

Hi ​@VishnuVardhan23 ,

The reCAPTCHA callback or submit handler might be throwing a SecurityError trying to touch window.top, parent.location, or parent.document  in the console.

Don't let the iframed page touch the parent directly. Use postMessage instead.

In the form page (abc.com), replace any direct parent/top access with:

 

// Instead of: window.top.location.href = thankYouUrl;
window.parent.postMessage({ type: 'FORM_SUBMIT_SUCCESS', redirectUrl: thankYouUrl }, 'https://www.xyz.com');

In the domain page (xyz.com), listen for it and redirect the iframe (or the whole page):

 

window.addEventListener('message', function(event) {
  if (event.origin !== 'https://www.abc.com') return;
  if (event.data.type === 'FORM_SUBMIT_SUCCESS') {
    document.getElementById('yourIframeId').src = event.data.redirectUrl;
    // or window.location.href = event.data.redirectUrl; if you want full-page redirect
  }
});

OR

 

AEM's CSRF token cookie or session cookie is SameSite=Lax/Strict, so it's not sent on the cross-site request from inside the iframe.

Set the cookie to SameSite=None; Secure on abc.com's CSRF/session cookie so it's sent in third-party iframe context. This usually needs a config change in AEM's CSRF filter / dispatcher or wherever the cookie is issued.

 

Thanks,

Chitra

Terms & ConditionsAccessibility statement

Loading footer...