I heard about a business named RebelMail a couple weeks back that offers a product to eCommerce stores: email templates that contain forms for customers to complete abandoned purchases from w/in their email clients(!!!). How the hell do they do it?
Well it turns out that modern email clients (e.g. www.gmail.com, your iPhone’s email program, etc.) are browser-ish HTML-rendering environments—why wouldn’t they render a <form> tag?
Well, these browser-ish environments have a lot of security concerns. Neither you or your email provider wants your data being stolen, and there are a lot of possible ways for bad guys to accomplish—most have to do with injecting content into your browser-ish environment from remote resources by embedding it in the body of an HTML email.
But <form> tags? They’re pretty harmless—there’s nothing inherently “dynamic” or unsafe about them besides the submit button, which directs the user away from the current page and to a URL designated by the form. Here’s an example I sent to my Gmail account:
On clicking the “Go!” button, the values of the form fields are populated in the URL as GET query parameters. I haven’t rigorously tested support for forms across email clients or if the experience can be “gracefully degraded” when they’re not supported (please let me know if you do!).
You can check out the python code I used to send these form emails on Github.