Streaming live at 10am (PST)

Using custom mail.php with exported site returns "Error 500" (Referrer Policy: strict-origin-when-cross-origin)

Dear all,

I have to admit I am not a pro developer, usually more project manager/tester. But I think what I try to achieve is FAIRLY easy, I just don’t understand what is happening with Webflow!

If you go to Miu Massage in Chiang Mai there is a contact form! As “Action” I set “”:
Bildschirmfoto 2021-08-23 um 21.55.55

My mail.php looks like this, pretty straight forward (I got the code from here and adjusted it):


  if (isset($_POST['Full-Name'])) $sender_name = preg_replace("([\r\n])", "", $_POST['Full-Name']);
  if (isset($_POST['Email'])) $sender_email = preg_replace("([\r\n])", "", $_POST['Email']);
  if (isset($_POST['Phone'])) $sender_phone = preg_replace("([\r\n])", "", $_POST['Phone']);
  if (isset($_POST['Date'])) $sender_message = preg_replace("([\r\n])", "", $_POST['Date']);

  $formcontent="From: $sender_name \n Email: $sender_email \n Line ID/Phone number/Whatsapp: $sender_phone \n Massage Type: $_POST['Massage-Type'] \n Desired Date and Time: $sender_message";
  $recipient = "xyz"; // Removed my email
  $subject = "New Booking Request via Website!";

  $match = "/(bcc:|cc:|content\-type:)/i";
  if (preg_match($match, $sender_name) ||
      preg_match($match, $sender_email) ||
      preg_match($match, $sender_phone) ||
      preg_match($match, $sender_message)) {
    die("Header injection detected.");

  $mailheader = "From: $sender_email \r\n";
  $mailheader .= "Reply-to: $sender_email\r\n";

  mail($recipient, $subject, $formcontent, $mailheader);
  header('Location: success.html');
} else {
  die("Direct access not allowed!");

After that I exported the site and uploaded it via FTP to my server. So the index.html and mail.php are LITERALLY lying next to each other on the same server + folder:

Now when I submit the form via Miu Massage in Chiang Mai I get an “Error 500” and I can see in the Chrome dev tools something about Referrer Policy: strict-origin-when-cross-origin:

Data submitted by the form seems ok!?
Bildschirmfoto 2021-08-23 um 21.48.26

Now I don’t understand this:

  • Why is there even ANYTHING mentioned about I even unpublished the Staging site! It does not exist anymore! I exported all files and uploaded them to my own server. It should not have to do ANYTHING with!?
  • How to fix this? I don’t even get that far so see any details whether the PHP file is working or not.

Thank you so much everyone who can help me with that. :sweat:

READ ONLY LINK: Webflow - Miu Massage

Hm, so nobody has any idea? That’s disappointing… :frowning:

Will try to get in touch with Webflow support now and guide them here.

Hi @Steve.Pony thanks for your post, that is strange for sure.

I think it is a good idea to contact to Webflow support if you have not already, Webflow support will help to check this and help to find out why is in the access-control-allow-origin response header.

Thanks in advance.

1 Like

Hi @Steve.Pony,

Dave here again, I was doing some checking and could see that the open graph image on the page is pulling from, see here:

Shared with CloudApp

I would change that opengraph image to point to a url that is not hosted in Webflow from page settings on the home page.

There was also one other url to an image hosted by Webflow, or at least appearing in html, to an svg which appears to be broken, see here:

Shared with CloudApp

That image appears to be in the testimonial wrapper, I might remove that image as it is not rendering due to an access denied message:

Shared with CloudApp

I would next change the opengraph image path in page settings and delete the image with class “horizontal-angle” in your testimonial wrapper or update to another image, then re-export and re-upload to your server and check the form submission again.

1 Like

Your PHP error (500) probably lies in the variable $formcontent. Word of caution, you should never put unsanitized post data directly in an email. Add a line to your if statements above for the massage input then reference that in the $formcontent.

It would be better to use a library like PHPMailer to handled mail or a third party. Mistakes un custom code can lead to bad things happening. SEE Integrations | Forms & surveys | Webflow University. There are plenty that offer up to 50 submissions a month for free.


Alright, thanks a lot both!

I will indeed check that wrongly pulled image. Because I realized when checking via the page speed is terrible as well and this causing issues. So few optimizations to be made here.

Regarding the mail.php file, Namecheap support pointed out to me as well that it actually has nothing to do with “Referrer Policy: strict-origin-when-cross-origin”, but indeed wrong PHP code. LOL

I was so focused on that strict-origin-when-cross-origin and was wondering why no PHP error, that I didn’t realized how stupid the code was, that I was using. I used multiple variants from different sources, all same result. Anyway - below PROPER code works now!


$mail_to_send_to = "xyz"; // Removed my email
$from_email = "xyz"; // Removed my email

if (!empty($_POST)) {

     $subject= "New Booking Request from Website!";
     $name = $_POST['Full-Name'];
     $email = $_POST['Email'];
     $phone = $_POST['Phone'];
     $date = $_POST['Date'];
     $type = $_POST['Massage-Type'];
     $message =
     "Hi Miu!\r\n\r\nYou received a new booking request from your website:\r\n\r\nFull Name: " . $name . "\nEmail: " . $email . "\nLine ID/Whatsapp: " . $phone . "\r\n\r\nMassage Type: " . $type . "\nDate & Time: " . $date;
     $headers = "From: $from_email" . "\r\n" . "Reply-To: $email"  ;
     $a = mail( $mail_to_send_to, $subject, $message, $headers );

     if ($a) {
          header('Location: success.html');
     } else {
          header('Location: error.html');


Therefore sorry for confusion and “false” alarm. :wink: - Will focus now on page optimization in terms of speed etc.

All the best! Thanks again!

1 Like

You need to sanitize your input variables! This is unsafe as it is.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.