Re: [PR] Fix url in password reset email [cloudstack]

Sat, 06 Dec 2025 06:23:56 -0800 


davift commented on PR #12078:
URL: https://github.com/apache/cloudstack/pull/12078#issuecomment-3620452686

   > Hi @sureshanaparti
   > 
   > As discussed please add http before the domain or management IP to make 
sure the link is clickable
   > 
   > Please check the screenshot
   > 
   > with domainurl
   > 
   > <img alt="Screenshot 2025-12-05 at 5 51 56 PM" width="1583" height="273" 
src="https://private-user-images.githubusercontent.com/1401014/522947463-fd662735-d784-44c4-bccb-36d885ad1390.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjUwMzA2OTYsIm5iZiI6MTc2NTAzMDM5NiwicGF0aCI6Ii8xNDAxMDE0LzUyMjk0NzQ2My1mZDY2MjczNS1kNzg0LTQ0YzQtYmNjYi0zNmQ4ODVhZDEzOTAucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTIwNiUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTEyMDZUMTQxMzE2WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MzY0NWJlYmI3ODYzZWUyM2VkOTI1ZmEyYTJhZjA1NDY4ZTFjMzgzMzBiODA3MDJmYTE2NjYxNGFmNzI2MzYzNCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.WlYRsHg6MhHMNek-J4ONDWnSB1mAXX21g8gU2tnLbvc";>
   > Without domainurl
   > 
   > <img alt="Screenshot 2025-12-05 at 5 57 02 PM" width="1516" height="255" 
src="https://private-user-images.githubusercontent.com/1401014/522947822-58e4b131-5194-49cb-b1aa-5d573282413b.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjUwMzA2OTYsIm5iZiI6MTc2NTAzMDM5NiwicGF0aCI6Ii8xNDAxMDE0LzUyMjk0NzgyMi01OGU0YjEzMS01MTk0LTQ5Y2ItYjFhYS01ZDU3MzI4MjQxM2IucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTIwNiUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTEyMDZUMTQxMzE2WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ZTY5NTc1YzU1ZjA0YzIwYmJhOTg0M2RjNmRlMTBjMWU1YjE5OGU2YzYwYWFhNGYyNDEwMzg5YTQ3OWNlNTAyYiZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.ie7MGQlQjiCjM8LJCqWDYWRfdBgpfAI3yXjkGPdlKE8";>
   
   dear @kiranchavala and @sureshanaparti ,
   
   I appreciated the checks for the presence of `http://` or `https://`, as 
well as the logic to apply a default when neither is provided. My 
recommendation would be to always default to `https://` and require users to 
manually choose a less secure option if they really need it.
   
   This mindset should be applied universally, as users tend to accept whatever 
the default is. Beyond the general risk of “rogue Wi-Fi” exposing 
password-reset links, browsers are increasingly moving toward HTTPS-first 
behavior, and email filters/inspection systems are becoming more suspicious of 
plain-text HTTP URLs.
   
   Please understand this as purely constructive feedback.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to