It would appear that this affects a large number of users. We're also experiencing this in the following configurations.
- Mailgun click tracking enabled + Safari 12.0 on MacOS or any browser in iOS 12 - Clicking the link in the Gmail app or web app (Mailgun click tracking disabled) + Safari 12.0 on MacOS or any browser in iOS 12. All iOS 12 browsers and MacOS Safari users using the Gmail app, or in any email client if the site they are requesting a password from uses link tracking. On Thursday, 22 November 2018 20:43:15 UTC+7, Mat Gadd wrote: > > Hi all, > > I raised a ticket <https://code.djangoproject.com/ticket/29975> regarding > this and was directed here to discuss the topic. The summary is that the > combination of using click-tracking redirects (which are popular with a > variety of email providers) with the Django contrib.auth password reset > views does not work in Safari on macOS and iOS as of the latest major > versions. > > It took me quite a long time to work out what was happening, so I wanted > to at least raise a ticket where other people might find it, but was also > hoping to start a discussion around how else the problem could be > mitigated. An option to disable the internal token redirect might be > useful, but that then re-opens the token up to being leaked via the > HTTP_REFERER header. > > Regards, > - Mat > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/7db0b6fc-073d-4794-8195-01c3d51dfb72%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
