I wouldn't mind just rolling back the security fix (or maybe making a straightforward way to enable/disable the behavior). We could instead encourage people to use <a rel="noreferrer"> on any links (from the password rest page) to untrusted urls.
On Friday, February 22, 2019 at 5:03:01 AM UTC-5, Henrik Ossipoff Hansen wrote: > > Just wanted to chime in and say we also experienced this issue. We ended > up having to revert the security fix that was added to the view in Django > just to avoid the flood of customers reporting they couldn't reset their > passwords on our apps anymore - so I'm assuming this affects a lot of users > out there. > > torsdag den 21. februar 2019 kl. 14.48.45 UTC+1 skrev Mat Gadd: >> >> You can see this in action yourself using Chrome's Dev Tools. Open Dev >> Tools, then their Settings, and turn on "Auto-open DevTools for popups". >> Then, click any link in the Gmail web app. You'll see you go via >> google.com/url?q=original_url_here. Since they're doing this with >> JavaScript, the links look like they're going to open the real URL, but >> they *don't.* >> >> On Thu, 21 Feb 2019 at 10:44, Mat Gadd <dra...@gmail.com> wrote: >> >>> Exactly that, yes. We've disabled all click tracking that we can, but >>> Gmail has its own redirect which causes Safari's privacy features to kick >>> in. (Some?) Gmail users are unable to use the password reset emails. >>> >>> On Thursday, 21 February 2019 01:03:54 UTC, Philip James wrote: >>>> >>>> Mat, are you saying you're seeing Safari still blocking, even with >>>> click tracking turned off, because GMail itself is inserting a redirect? >>>> >>>> PJJ >>>> http://philipjohnjames.com >>>> >>>> >>>> On Wed, Feb 20, 2019 at 4:46 AM Mat Gadd <dra...@gmail.com> wrote: >>>> >>>>> We're also now seeing Gmail users complain that the password reset >>>>> links don't work, even after we disabled click tracking. It seems that >>>>> Google are inserting their own click tracking into users' emails, which >>>>> is… >>>>> weird? >>>>> >>>>> The markup of links is transformed to the following (where … is our >>>>> original URL): >>>>> >>>>> <a href="…" target="_blank" data-saferedirecturl=" >>>>> https://www.google.com/url?q=…";>Link text here</a> >>>>> >>>>> Gmail is a *huge* provider of emails, and they make up around 54% of >>>>> our user base. Anyone using the Gmail web app can no longer reset their >>>>> password simply by clicking the link in the email. >>>>> >>>>> On Wednesday, 23 January 2019 12:51:22 UTC, Perry Roper wrote: >>>>>> >>>>>> It would appear that this affects a large number of users. We're also >>>>>> experiencing this in the following configurations. >>>>>> >>>>>> - Mailgun click tracking enabled + Safari 12.0 on MacOS or any >>>>>> browser in iOS 12 >>>>>> - Clicking the link in the Gmail app or web app (Mailgun click >>>>>> tracking disabled) + Safari 12.0 on MacOS or any browser in iOS 12. >>>>>> >>>>>> All iOS 12 browsers and MacOS Safari users using the Gmail app, or in >>>>>> any email client if the site they are requesting a password from uses >>>>>> link >>>>>> tracking. >>>>>> >>>>>> On Thursday, 22 November 2018 20:43:15 UTC+7, Mat Gadd wrote: >>>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> I raised a ticket <https://code.djangoproject.com/ticket/29975> >>>>>>> regarding this and was directed here to discuss the topic. The summary >>>>>>> is >>>>>>> that the combination of using click-tracking redirects (which are >>>>>>> popular >>>>>>> with a variety of email providers) with the Django contrib.auth >>>>>>> password >>>>>>> reset views does not work in Safari on macOS and iOS as of the latest >>>>>>> major >>>>>>> versions. >>>>>>> >>>>>>> It took me quite a long time to work out what was happening, so I >>>>>>> wanted to at least raise a ticket where other people might find it, but >>>>>>> was >>>>>>> also hoping to start a discussion around how else the problem could be >>>>>>> mitigated. An option to disable the internal token redirect might be >>>>>>> useful, but that then re-opens the token up to being leaked via the >>>>>>> HTTP_REFERER header. >>>>>>> >>>>>>> Regards, >>>>>>> - Mat >>>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Django developers (Contributions to Django itself)" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to django-develop...@googlegroups.com. >>>>> To post to this group, send email to django-d...@googlegroups.com. >>>>> Visit this group at https://groups.google.com/group/django-developers. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/django-developers/c10f608f-7f5e-4bba-aa89-4779e37d61f0%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/django-developers/c10f608f-7f5e-4bba-aa89-4779e37d61f0%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Django developers (Contributions to Django itself)" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to django-develop...@googlegroups.com. >>> To post to this group, send email to django-d...@googlegroups.com. >>> Visit this group at https://groups.google.com/group/django-developers. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/django-developers/2830288b-6890-4c2f-ac4c-b07a82196619%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/django-developers/2830288b-6890-4c2f-ac4c-b07a82196619%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/0abe13ed-f95f-4f87-ba5c-9079f5ad17bf%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
