Requiring a manual button click before confirmation #12

Closed
opened 5 years ago by jonas · 3 comments
jonas commented 5 years ago

This is really stupid, but it seems as if Outlook (and possibly other mail clients) either pre-fetch web pages linked from an email, or send the links to Bing for indexing. See this Stackoverflow question:

https://stackoverflow.com/questions/41699071/bingpreview-invalidates-one-time-links-in-email

What this means is someone using Outlook might receive our confirmation mail, but when they click the link, Bing has already hit the link which makes them receive a 404, since the confirmation link is no longer valid. We can purposefully deny Bing any access here, which seems sensible, but the long-term answer is probably to change our logic.

When someone clicks the link, they should be greeted with a web page on which they must click a button to proceed. And that button should be linked with rel="nofollow" or similar, but I'm honestly not sure if that actually prevents web crawlers from clicking that button!

This is really stupid, but it seems as if Outlook (and possibly other mail clients) either pre-fetch web pages linked from an email, or send the links to Bing for indexing. See this Stackoverflow question: https://stackoverflow.com/questions/41699071/bingpreview-invalidates-one-time-links-in-email What this means is someone using Outlook might receive our confirmation mail, but when they click the link, Bing has already hit the link which makes them receive a 404, since the confirmation link is no longer valid. We can purposefully deny Bing any access here, which seems sensible, but the long-term answer is probably to change our logic. When someone clicks the link, they should be greeted with a web page on which they must click a button to proceed. And that button should be linked with rel="nofollow" or similar, but I'm honestly *not sure* if that actually prevents web crawlers from clicking that button!
max.mehl added the
prio:mid
label 4 years ago
Owner

As we were discussing in reuse/api#10, it would be good if each application could have an optional "name" value which could be displayed on the confirmation page. This way, even if forms is generally FSFE branded, people coming from external pages like PMPC or REUSE could see that they actually sign up for what they came for.

As we were discussing in https://git.fsfe.org/reuse/api/issues/10, it would be good if each application could have an optional "name" value which could be displayed on the confirmation page. This way, even if forms is generally FSFE branded, people coming from external pages like PMPC or REUSE could see that they actually sign up for what they came for.
max.mehl changed title from Stop Bing (and others) from hitting the URLs, by enforcing a click to Requiring a manual button click before confirmation 12 months ago
Owner

We've received word that Microsoft 365 Outlook servers do the same. So this seems to be a more wide-spread issue. Increasing the prio therefore.

We've received word that Microsoft 365 Outlook servers do the same. So this seems to be a more wide-spread issue. Increasing the prio therefore.
max.mehl added
prio:high
and removed
prio:mid
labels 12 months ago
florian.vuillemot was assigned by max.mehl 3 months ago
Owner

Fixed by #71

Fixed by #71
max.mehl closed this issue 2 months ago
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.