Formspree is removing support for email-based forms, which we call "legacy forms".
What are legacy forms?
Legacy forms are identified by a URL in your form's HTML
action attribute that looks like this:
They contain an email address directly in the URL.
Migrating away from legacy forms
Instead of putting an email address directly in your form HTML, we are encouraging users to sign up for an account at https://formspree.io/register. Once registered, you can create forms in the Formspree dashboard by clicking the + New Form button, or by creating a CLI project. Forms created this way will have a URL with a unique identifier, rather than an email address.
If you currently have a legacy form, we suggest that you first create a new form in the Formspree dashboard, or with the Formspree CLI. Then you can replace the
action URL in the form's HTML with the new form's URL, or, if using AJAX, update the endpoint to which the form is submitted.
Why we're doing this
We believe that for security and privacy reasons, legacy forms are no longer a good workflow for creating forms. In addition, some browsers are changing the information they send, making it difficult to match submissions to an activated legacy form.
How legacy forms work
When you put an email URL in your form's
action and submit, Formspree creates a new legacy form using the email address and the URL of the page where the form was submitted. Both pieces of information are needed. We can't identify the form just by email address alone, since you could have forms on different pages or different websites with the same email address.
The first time you submit, you receive an email asking you to activate the form on that page. Then, once activated, subsequent submissions flow to the email address in the URL.
The problems with legacy forms
Though the above workflow is convenient, it results in several problems:
- Legacy forms expose your email address. It can be detected by bots that scrape websites looking for email addresses.
- Legacy forms use a combination of email address and referring page, or referrer, for identification. In other words, since we only know the email address from the action URL, we must also detect the page from which the form was submitted in order to identify the form. To do this we rely on the referrer header. Due to recent browser changes, the referrer header is no longer a reliable tool for identifying a form.
- Because legacy forms are identified by referrer, a form must be confirmed each time it's added to a new page. This actually creates a new form in Formspree for every different page where a form is hosted. Having to re-activate a form, or seeing several forms in the dashboard that are related to one HTML form, can be confusing.
The biggest problem is related to item 2 above. The referrer header is no longer a reliable tool for identifying a form. Browser vendors are becoming more concerned about privacy (for good reason!) and have restricted the information sent in the referrer header by default. Previously this header contained the full URL including path. Now the path information is being removed by default. Website owners can still override this behavior by setting the referrer policy, but most don't set it, and not all browsers respect those settings. For more information on recent changes with Chrome please see this article: https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default