Hi all,

I raised a ticket <https://code.djangoproject.com/ticket/29975> regarding 
this and was directed here to discuss the topic. The summary is that the 
combination of using click-tracking redirects (which are popular with a 
variety of email providers) with the Django contrib.auth password reset 
views does not work in Safari on macOS and iOS as of the latest major 
versions.

It took me quite a long time to work out what was happening, so I wanted to 
at least raise a ticket where other people might find it, but was also 
hoping to start a discussion around how else the problem could be 
mitigated. An option to disable the internal token redirect might be 
useful, but that then re-opens the token up to being leaked via the 
HTTP_REFERER header.

Regards,
 - Mat

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/20d7a1d1-9c37-44df-8d6f-577f55727efc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to